The vulnerability of the ‎AlertUtil::validateExpression (/api/v1/events/subscriptions) method of the OpenMetadata metadata management platform allows a perpetrator to execute arbitrary code.

The vulnerability of the ‎AlertUtil::validateExpression /api/v1/events/subscriptions method of the OpenMetadata platform is related to improper handling of code generation. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

The vulnerability of the `AlertUtil::validateExpression` method (/api/v1/events/subscriptions/validation/condition/) of the OpenMetadata platform allows a perpetrator to execute arbitrary code.

The vulnerability of the ‎AlertUtil::validateExpression /api/v1/events/subscriptions/validation/condition/ method of the OpenMetadata platform is related to improper handling of code generation. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

VulnCheck KEV: CVE-2024-28847

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, AlertUtil::validateExpression is also called from...

SpEL Injection

OpenMetadata is vulnerable to Expression Language SpEL Injection. The vulnerability is caused due to a lack of validation of user-controlled data within the AlertUtil::validateExpression method, which allows the execution of arbitrary system commands through user-controlled data, leading to Remot...

PT-2024-3067

Name of the Vulnerable Software and Affected Versions: OpenMetadata versions prior to 1.2.4 Description: The issue is related to the AlertUtil::validateExpression method, which can lead to Remote Code Execution. An attacker can send a PUT request to "/api/v1/events/subscriptions" to exploit this...