CVE-2024-28255
published 2024-03-15CVE-2024-28255: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.26%
99.4th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-metadata | openmetadata | < 1.2.4 | 1.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22{{payload}}%22)))↗
- →Detect authentication bypass attempts by inspecting HTTP request paths for semicolon-based path parameter injection patterns (e.g., `;v1%2fusers%2flogin`) prepended to arbitrary API endpoints, which causes JwtFilter to skip JWT validation. ↗
- →Alert on HTTP requests to `/api/v1/events/subscriptions/validation/condition/` containing SpEL expressions referencing Java runtime classes such as `java.lang.Runtime` or `java.util.Base64`, indicating attempted RCE via SpEL injection chained with the auth bypass. ↗
- →Monitor for HTTP 400 responses from OpenMetadata containing `java.lang.Boolean` in the JSON body, which is a positive indicator of successful SpEL expression evaluation (as used in the Nuclei template matcher). ↗
- →In Kubernetes environments, hunt for OpenMetadata pods executing outbound DNS or network connections (e.g., via nslookup or Netcat reverse shells) from within the container, as attackers validate RCE via DNS callback before downloading cryptomining payloads from a remote server in China. ↗
- →Detect persistence mechanisms: monitor for new cronjob creation within OpenMetadata containers, as attackers use cronjobs to schedule recurring execution of malicious code. ↗
- →Use the Shodan favicon hash `733091897` to identify Internet-exposed OpenMetadata instances for proactive patching or monitoring. ↗
- →Enumerate all OpenMetadata workloads in Kubernetes using the command below to identify unpatched instances (versions 1.2.3 and below are vulnerable). ↗
- ·The authentication bypass via path parameter injection does NOT work for endpoints that call `SecurityContext.getUserPrincipal()`, as it will return null and throw a NullPointerException — exploitation is limited to endpoints that do not require a resolved principal. ↗
- ·Only OpenMetadata versions 1.2.3 and below are vulnerable; version 1.2.4 and newer contain the patch. Detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
OpenMetadata - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-28255 [CRITICAL] OpenMetadata - Authentication Bypass
OpenMetadata - Authentication Bypass
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an a
Metasploit
OpenMetadata authentication bypass and SpEL injection exploit chain
metasploit·CVSS 8.8
CVE-2024-28255 [HIGH] OpenMetadata authentication bypass and SpEL injection exploit chain
OpenMetadata authentication bypass and SpEL injection exploit chain
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. This module chains two vulnerabilities that exist in the OpenMetadata aplication. The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings that will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authen
Wiz
Crying Out Cloud - May 2024 Newsletter | Wiz
blogs_wiz·2024-05-06·CVSS 10.0
[CRITICAL] Crying Out Cloud - May 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
## 🔎 Highlights
Architecture Risks that May Compromise AI-as-a-Service Providers
Wiz research recently performed a security audit of Hugging Face and discovered several security issues that would have allowed an actor running a specially-crafted malicious model on Hugging Face's infrastructure to achieve remote code execution and cross-tenant access to other customers' spaces or models. All these issues were remediated by Hugging Face and no customer action is required.
Learn more in our blog .
## 🐞 High Profile Vulnerabilities
DoS Vulnerability in HTTP/2 CONTINUATION Frames
Bleepingcomputer
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
blogs_bleepingcomputer·2024-04-17·CVSS 9.4
[CRITICAL] Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks
## Sergiu Gatlan
In an ongoing Kubernetes cryptomining campaign, attackers target OpenMetadata workloads using critical remote code execution and authentication vulnerabilities.
OpenMetadata is an open-source metadata management platform that helps data engineers and scientists to catalog and discover data assets within their organization, including databases, tables, files, and services.
The security vulnerabilities exploited in these attacks ( CVE-2024-28255 , CVE-2024-28847 , CVE-2024-28253 , CVE-2024-28848 , and CVE-2024-28254 ) were reported on December 14 by GitHub Security Lab's Alvaro Muñoz and patched on January 5 in OpenMetadata versions 1.2.4 and newer.
According to Collate CTO and OpenMetadata project m
https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84https://www.vicarius.io/vsociety/posts/authentication-bypass-with-path-parameter-in-openmetadata-cve-2024-28255
2024-03-15
Published
Exploited in the wild