CVE-2024-28254
published 2024-03-15CVE-2024-28254: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.73%
98.6th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-metadata | openmetadata | < 1.2.4 | 1.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the endpoint `/api/v1/events/subscriptions/validation/condition/` for SpEL expression injection payloads, especially those referencing `java.lang.Runtime` or containing base64-encoded nested payloads. ↗
- →Detect multi-layer base64 encoded payloads in HTTP request bodies targeting OpenMetadata endpoints; the final decoded payload is a reverse shell command. ↗
- →Alert on reverse shell connections (e.g., via Netcat) originating from OpenMetadata container processes, as attackers establish reverse shells after initial RCE exploitation. ↗
- →Detect suspicious cronjob creation within OpenMetadata containers, used by attackers to maintain persistent access and schedule malicious code execution. ↗
- →Flag outbound network connections from OpenMetadata containers to remote servers in China used to download cryptomining malware payloads. ↗
- →Flag missing authorization checks on the `/api/v1/events/subscriptions/validation/condition/` path — `Authorizer.authorize()` is never called, meaning any authenticated non-admin user can trigger SpEL evaluation. ↗
- ·Vulnerability affects OpenMetadata versions 1.2.3 and below; version 1.2.4 contains the patch. Ensure workloads are running 1.2.4 or newer. ↗
- ·The vulnerability uses `StandardEvaluationContext` (not a sandboxed context) for SpEL evaluation, meaning any SpEL expression can reach arbitrary Java classes. Switching to `SimpleEvaluationContext` would restrict this. ↗
- ·Internet-exposed OpenMetadata workloads with default credentials are at heightened risk; admins should change default credentials in addition to patching. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Checkpoint
Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities
blogs_checkpoint·2024-08-14
CVE-2022-22954 Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities
## Executive Summary
Research by Erez Goldberg
Server-Side Template Injection (SSTI) vulnerabili
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Bleepingcomputer
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
blogs_bleepingcomputer·2024-04-17·CVSS 9.4
[CRITICAL] Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Sergiu Gatlan
In an ongoing Kubernetes cryptomining campaign, attackers target OpenMetadata workloads using critical remote code execution and authentication vulnerabilities.
OpenMetadata is an open-source metadata management platform that helps data engineers and scientists to catalog and discover data assets within their organization, including databases, tables, files, and services.
The security vulnerabilities exploited in these attacks ( CVE-2024-28255 , CVE-2024-28847 , CVE-2024-28253 , CVE-2024-28848 , and CVE-2024-28254 ) were reported on December 14 by GitHub Security Lab's Alvaro Muñoz and patched on January 5 in OpenMetadata versions 1.2.4 and newer.
According to Collate CTO and OpenMetadata project m
https://codeql.github.com/codeql-query-help/java/java-spel-expression-injectionhttps://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L101https://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L108https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gwhttps://github.com/spring-projects/spring-framework/blob/4e2d3573189b7c0afce62bce29cd915de4077f56/spring-expression/src/main/java/org/springframework/expression/spel/standard/SpelExpression.java#L106https://codeql.github.com/codeql-query-help/java/java-spel-expression-injectionhttps://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L101https://github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L108https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gwhttps://github.com/spring-projects/spring-framework/blob/4e2d3573189b7c0afce62bce29cd915de4077f56/spring-expression/src/main/java/org/springframework/expression/spel/standard/SpelExpression.java#L106
2024-03-15
Published
Exploited in the wild