CVE-2024-28254

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.2.4

Description The issue is related to the AlertUtil::validateExpression method, which evaluates an SpEL expression using getValue with the StandardEvaluationContext, allowing interaction with Java classes such as java.lang.Runtime and leading to Remote Code Execution. The /api/v1/events/subscriptions/validation/condition/<expression> endpoint passes user-controlled data to AlertUtil::validateExpression, enabling authenticated non-admin users to execute arbitrary system commands on the underlying operating system due to a missing authorization check. This may lead to Remote Code Execution.

Recommendations For versions prior to 1.2.4, upgrade to version 1.2.4 or later to address the issue. As a temporary workaround, consider restricting access to the /api/v1/events/subscriptions/validation/condition/<expression> endpoint and disabling the AlertUtil::validateExpression method until a patch is available. Additionally, restrict the use of the java.lang.Runtime class to minimize the risk of exploitation.