Arbitrary Endpoint Injection Vulnerability in OpenMetadata's JwtFilter

CVE-2024-28255

What is CVE-2024-28255?

The CVE-2024-28255 vulnerability in OpenMetadata's JwtFilter allows attackers to bypass JWT token validation and reach arbitrary endpoints, potentially leading to Arbitrary Endpoint Injection and bypass of the authentication mechanism. The issue has been addressed in version 1.2.4, and users are advised to upgrade. There are no known workarounds for this vulnerability.

The remote code execution (RCE) vulnerability in OpenMetadata, affecting versions less than 1.2.4, allows attackers to execute arbitrary commands, potentially leading to server compromise. The recommended solution is to update to the latest version.

No known exploits by ransomware groups are specified in the articles.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2024-28255
Created by Rapid7

CVE-2024-28255
Created by YongYe-Security

News Articles

CN-SEC

CVE-2024-28255

CVE-2024-28255__OpenMetadata RCE复现 附批量扫描/利用

OpenMetadata介绍 OpenMetadata 是一个统一的发现、可观察和治理平台，由中央元数据存储库、深入的沿袭和无缝团队协作提供支持。OpenMetadata 基于开放元数据标准和...

Pentest-Tools.com

CVE-2024-28255

OpenMetadata - Authentication Bypass (CVE-2024-28255)

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration.

References