Arbitrary Command Execution Vulnerability in OpenMetadata Platform

CVE-2024-28848

What is CVE-2024-28848?

OpenMetadata is a platform designed for metadata discovery, observability, and governance. A vulnerability exists in the method ?CompiledRule::validateExpression which evaluates SpEL expressions via a StandardEvaluationContext. This flaw permits the expression to interact with Java classes, specifically allowing for Remote Code Execution. The endpoint /api/v1/policies/validation/condition/<expression> potentially allows authenticated non-admin users to execute arbitrary system commands by passing user-controlled data. Notably, there is a lack of an authorization check since the Authorizer.authorize() method is not invoked in this context. Thus, any authenticated user can leverage this to evaluate arbitrary expressions, further jeopardizing system integrity. This vulnerability has been acknowledged in related advisories and is recommended for addressing in version 1.2.4 with no available workaround.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References