SB2024042222 - Multiple vulnerabilities in OpenMetadata
Published: April 22, 2024 Updated: November 8, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2024-28255)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in JwtFilter. A remote attacker can bypass authentication process and reach any arbitrary endpoint.
2) Code Injection (CVE-ID: CVE-2024-28254)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the SpEL injection in "GET /api/v1/events/subscriptions/validation/condition/
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Code Injection (CVE-ID: CVE-2024-28848)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the SpEL injection in "GET /api/v1/policies/validation/condition/
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Code Injection (CVE-ID: CVE-2024-28847)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the SpEL injection in "PUT /api/v1/events/subscriptions". A remote user can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84
- https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111
- https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gw
- https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection
- https://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L101
- https://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L108
- https://github.com/spring-projects/spring-framework/blob/4e2d3573189b7c0afce62bce29cd915de4077f56/spring-expression/src/main/java/org/springframework/expression/spel/standard/SpelExpression.java#L106
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5xv3-fm7g-865r
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L51
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L57
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-8p5r-6mvv-2435
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EventSubscriptionRepository.java#L69-L83
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java#L219
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java#L289