Arbitrary Command Execution Vulnerability in OpenMetadata Platform

CVE-2024-28254

What is CVE-2024-28254?

OpenMetadata, a unified platform designed for discovery, observability, and governance, is susceptible to a security vulnerability that allows authenticated non-admin users to execute arbitrary system commands. This vulnerability arises from the use of the ?AlertUtil::validateExpression method, which evaluates user-controlled SpEL expressions by employing getValue with the StandardEvaluationContext. As a result, malicious actors can interact with Java classes, including java.lang.Runtime, and perform Remote Code Execution through the /api/v1/events/subscriptions/validation/condition/<expression> endpoint. A significant oversight is a missing authorization check, as Authorizer.authorize() is bypassed during execution, enabling any authenticated user to exploit this flaw. It is critical for users to upgrade to version 1.2.4 to mitigate this vulnerability, as no workarounds exist for the issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2024-28254
Created by Rapid7

References