CVE-2024-28253

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.3.1

Description The issue is related to incorrect code generation management in OpenMetadata, which can be exploited to execute arbitrary code remotely. An attacker can send a PUT request to "/api/v1/policies" to reach the vulnerable method. The CompiledRule::validateExpression function is called from PolicyRepository.prepare, and prepare() is called from EntityRepository.prepareInternal(), which in turn gets called from EntityResource.createOrUpdate(). Although there is an authorization check, it is called after the SpEL expression has been evaluated, allowing potential exploitation. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1.

Recommendations For OpenMetadata versions prior to 1.3.1, upgrade to version 1.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/policies" endpoint to minimize the risk of exploitation. Additionally, restricting the use of the condition parameter in the affected API endpoint can help mitigate the risk until a patch is applied.