Platform
java
Component
org.open-metadata:openmetadata-service
Opgelost in
1.3.2
1.3.1
CVE-2024-28253 describes a critical SpEL (Spring Expression Language) injection vulnerability discovered in the OpenMetadata Service. This flaw allows authenticated users to inject malicious expressions, potentially leading to remote code execution. The vulnerability impacts versions of OpenMetadata Service up to and including DEMO_BETA1. A fix is available in version 1.3.1.
The SpEL injection vulnerability in OpenMetadata Service poses a significant risk to organizations deploying this platform. An attacker with authenticated access to the /api/v1/policies endpoint can craft malicious payloads that are interpreted as code by the Spring Expression Language engine. This can lead to arbitrary code execution on the server, granting the attacker complete control over the OpenMetadata Service instance. The impact extends beyond data compromise; an attacker could potentially pivot to other systems within the network if the OpenMetadata Service has access to sensitive resources or network segments. This vulnerability shares similarities with other SpEL injection attacks, highlighting the importance of input validation and secure coding practices.
CVE-2024-28253 was publicly disclosed on April 23, 2024. The vulnerability's criticality (CVSS score of 9.4) and the potential for remote code execution suggest a high probability of exploitation. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation inherent in SpEL injection vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Organizations deploying OpenMetadata Service, particularly those using the DEMO_BETA1 or earlier versions, are at significant risk. Environments where the OpenMetadata Service is exposed to untrusted networks or where user authentication is not properly enforced are especially vulnerable. Shared hosting environments utilizing OpenMetadata Service should be carefully reviewed for potential exposure.
• linux / server:
journalctl -u openmetadata-service -g 'PolicyRepository.prepare' --since "1 hour"• java / supply-chain:
Inspect the PolicyRepository.prepare method in the OpenMetadata codebase for suspicious calls to expression evaluation functions. Look for instances where user-supplied data is directly incorporated into expressions without proper sanitization.
• generic web:
Monitor access logs for requests to /api/v1/policies with unusual or malformed payloads. Specifically, look for requests containing characters commonly used in SpEL expressions (e.g., #, T(java.lang.Runtime).getRuntime().exec(...)).
disclosure
patch
Exploit Status
EPSS
92.00% (100% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-28253 is to upgrade to OpenMetadata Service version 1.3.1 or later, which includes a fix for the vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict access to the /api/v1/policies endpoint to only trusted users and roles. Implement strict input validation on all data submitted to this endpoint, specifically looking for potentially malicious SpEL expressions. While a WAF might offer some protection, it's not a substitute for patching. Monitor system logs for suspicious activity related to the /api/v1/policies endpoint, looking for unusual requests or errors.
Werk OpenMetadata bij naar versie 1.3.1 of hoger. Deze versie corrigeert de SpEL injection kwetsbaarheid in de API `PUT /api/v1/policies`. De update voorkomt mogelijke remote code execution.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-28253 is a critical vulnerability allowing authenticated users to execute arbitrary code in OpenMetadata Service versions ≤DEMO_BETA1 through a SpEL injection in the /api/v1/policies endpoint.
You are affected if you are running OpenMetadata Service versions prior to 1.3.1. Verify your version and upgrade immediately.
Upgrade to OpenMetadata Service version 1.3.1 or later to remediate the vulnerability. Restrict access to the /api/v1/policies endpoint as a temporary workaround.
While no widespread exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of future attacks. Monitor for activity.
Refer to the OpenMetadata security advisories page for the latest information and updates: [https://open-metadata.org/security/](https://open-metadata.org/security/)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.