CVE-2024-28847

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.2.4

Description The issue is related to the AlertUtil::validateExpression method, which can lead to Remote Code Execution. An attacker can send a PUT request to "/api/v1/events/subscriptions" to exploit this vulnerability. The prepare() method is called from EntityRepository.prepareInternal(), which in turn gets called from EntityResource.createOrUpdate(). Although there is an authorization check, it gets called after the SpEL expression has been evaluated. This vulnerability may lead to Remote Code Execution and has been addressed in version 1.2.4.

Recommendations To resolve the issue, upgrade to version 1.2.4 or later. As a temporary workaround, consider disabling the AlertUtil::validateExpression function until a patch is available. Restrict access to the /api/v1/events/subscriptions API endpoint to minimize the risk of exploitation. Avoid using the condition parameter in the affected API endpoint until the issue is resolved.