cbcvebase.
CVE-2024-28848
published 2024-03-15

CVE-2024-28848: OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
7.89%
94.0th percentile
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
open-metadataopenmetadata< 1.2.41.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/policies/validation/condition/
  • Monitor for SpEL (Spring Expression Language) injection attempts targeting the /api/v1/policies/validation/condition/ endpoint; payloads referencing java.lang.Runtime are indicative of exploitation.
  • Any authenticated non-admin user triggering the /api/v1/policies/validation/condition/ endpoint should be treated as suspicious, as no authorization check (Authorizer.authorize()) is performed on this path.
  • Hunt for outbound connections from OpenMetadata containers to remote servers in China, which were used to host cryptomining malware payloads delivered post-exploitation.
  • Detect Netcat reverse shell activity originating from OpenMetadata containers, used by attackers to establish persistent remote access post-exploitation.
  • Look for newly created cronjobs within OpenMetadata Kubernetes pods, which attackers use to maintain persistence by scheduling malicious code execution.
  • Alert on Monero (XMR) cryptomining processes or related miner binaries spawned from OpenMetadata container processes, consistent with observed attacker objectives.
  • ·Exploitation requires only authentication as a non-admin user; no elevated privileges are needed. Ensure default credentials are changed on all Internet-exposed OpenMetadata deployments.
  • ·The vulnerability is fully remediated only in OpenMetadata version 1.2.4 and newer; no workarounds exist for older versions.
  • ·Active exploitation of this CVE (alongside CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28254) has been observed in the wild since early April targeting Internet-exposed Kubernetes OpenMetadata workloads.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.