Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-28253

Description

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

POC

Reference

- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6gr

Github

- https://github.com/0day404/HV-2024-POC

- https://github.com/12442RF/POC

- https://github.com/AboSteam/POPC

- https://github.com/DMW11525708/wiki

- https://github.com/Lern0n/Lernon-POC

- https://github.com/Linxloop/fork_POC

- https://github.com/NaInSec/CVE-LIST

- https://github.com/Warren-Jace/poc-doc

- https://github.com/WhosGa/MyWiki

- https://github.com/Yuan08o/pocs

- https://github.com/admin772/POC

- https://github.com/adminlove520/pocWiki

- https://github.com/adysec/POC

- https://github.com/cisp-pte/POC-20241008-sec-fork

- https://github.com/eeeeeeeeee-code/POC

- https://github.com/fkie-cad/nvd-json-data-feeds

- https://github.com/greenberglinken/2023hvv_1

- https://github.com/iemotion/POC

- https://github.com/laoa1573/wy876

- https://github.com/oLy0/Vulnerability

- https://github.com/tanjiti/sec_profile

- https://github.com/tequilasunsh1ne/OpenMetadata_policies_rce

- https://github.com/wjlin0/poc-doc

- https://github.com/wooluo/POC00

- https://github.com/wy876/POC

- https://github.com/wy876/wiki