9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.2%
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression
is also called from PolicyRepository.prepare
. prepare()
is called from EntityRepository.prepareInternal()
which, in turn, gets called from EntityResource.createOrUpdate()
. Note that even though there is an authorization check (authorizer.authorize()
), it gets called after prepareInternal()
gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to /api/v1/policies
which gets handled by PolicyResource.createOrUpdate()
. This vulnerability was discovered with the help of CodeQL’s Expression language injection (Spring) query and is also tracked as GHSL-2023-252
. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
[
{
"vendor": "open-metadata",
"product": "OpenMetadata",
"versions": [
{
"version": "< 1.3.1",
"status": "affected"
}
]
}
]
codeql.github.com/codeql-query-help/java/java-spel-expression-injection
github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693
github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java#L219
github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/policies/PolicyResource.java#L365
github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/PolicyRepository.java#L113
github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6gr
9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.2%