cbcvebase.
CVE-2024-28255
published 2024-03-15

CVE-2024-28255: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.26%
99.4th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-metadataopenmetadata< 1.2.41.2.4

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111
url/api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22{{payload}}%22)))
path/api/v1/events/subscriptions/validation/condition/
  • Detect authentication bypass attempts by inspecting HTTP request paths for semicolon-based path parameter injection patterns (e.g., `;v1%2fusers%2flogin`) prepended to arbitrary API endpoints, which causes JwtFilter to skip JWT validation.
  • Alert on HTTP requests to `/api/v1/events/subscriptions/validation/condition/` containing SpEL expressions referencing Java runtime classes such as `java.lang.Runtime` or `java.util.Base64`, indicating attempted RCE via SpEL injection chained with the auth bypass.
  • Monitor for HTTP 400 responses from OpenMetadata containing `java.lang.Boolean` in the JSON body, which is a positive indicator of successful SpEL expression evaluation (as used in the Nuclei template matcher).
  • In Kubernetes environments, hunt for OpenMetadata pods executing outbound DNS or network connections (e.g., via nslookup or Netcat reverse shells) from within the container, as attackers validate RCE via DNS callback before downloading cryptomining payloads from a remote server in China.
  • Detect persistence mechanisms: monitor for new cronjob creation within OpenMetadata containers, as attackers use cronjobs to schedule recurring execution of malicious code.
  • Use the Shodan favicon hash `733091897` to identify Internet-exposed OpenMetadata instances for proactive patching or monitoring.
  • Enumerate all OpenMetadata workloads in Kubernetes using the command below to identify unpatched instances (versions 1.2.3 and below are vulnerable).
  • ·The authentication bypass via path parameter injection does NOT work for endpoints that call `SecurityContext.getUserPrincipal()`, as it will return null and throw a NullPointerException — exploitation is limited to endpoints that do not require a resolved principal.
  • ·Only OpenMetadata versions 1.2.3 and below are vulnerable; version 1.2.4 and newer contain the patch. Detections should be scoped accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.