CVE-2024-28848

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.2.4

Description The issue is related to the CompiledRule::validateExpression method, which evaluates an SpEL expression using a StandardEvaluationContext. This allows the expression to interact with Java classes, such as java.lang.Runtime, leading to Remote Code Execution. The /api/v1/policies/validation/condition/<expression> endpoint passes user-controlled data to CompiledRule::validateExpression, enabling authenticated non-admin users to execute arbitrary system commands on the underlying operating system. A missing authorization check, as Authorizer.authorize() is never called in the affected path, allows any authenticated non-admin user to trigger this endpoint and evaluate arbitrary SpEL expressions, leading to arbitrary command execution.

Recommendations For OpenMetadata versions prior to 1.2.4, upgrade to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/v1/policies/validation/condition/<expression> endpoint to prevent exploitation. Additionally, disabling the CompiledRule::validateExpression method or restricting the use of the StandardEvaluationContext until a patch is available can help minimize the risk of exploitation.