8 matches found
Metasploit Weekly Wrap-Up 08/16/2024
New module content 3 Apache HugeGraph Gremlin RCE Authors: 6right and jheysel-r7 Type: Exploit Pull request: 19348 contributed by jheysel-r7 Path: linux/http/apachehugegraphgremlinrce AttackerKB reference: CVE-2024-27348 Description: Adds an Apache HugeGraph Server exploit for GHSA-29rc-vq7f-x335...
OpenMetadata 1.2.3 Authentication Bypass / SpEL Injection
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenMetadata authentication bypass and SpEL injection exploit chain', 'Description' = %q OpenMetadata is a unified platform for discovery,...
OpenMetadata 1.2.3 Authentication Bypass / SpEL Injection Exploit
This Metasploit module exploits OpenMetadata versions 1.2.3 and below by chaining an API authentication bypass using JWT tokens along with a SpEL injection vulnerability to achieve arbitrary command execution. This module requires Metasploit: https://metasploit.com/download Current source:...
OpenMetadata authentication bypass and SpEL injection exploit chain
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. This module chains two vulnerabilities that exist in the OpenMetadata aplication. The first vulnerability, CVE-2024-28255,...
CVE-2024-28254
creationtimestamp| type| source ---|---|--- 2024-03-15 21:22:16+00:00| seen| https://t.me/ctinow/209160 2024-03-15 21:26:26+00:00| seen| https://t.me/ctinow/209173 2024-04-18 12:37:11+00:00| exploited| https://t.me/itsecnews/4333 2024-04-18 15:16:29+00:00| seen| https://t.me/ctinow/215638...
CVE-2024-28254 SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...
CVE-2024-28254 SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...
CVE-2024-28254
OpenMetadata CVE-2024-28254 is a SpEL injection at GET /api/v1/events/subscriptions/validation/condition/, allowed by AlertUtil::validateExpression, which can reach java.lang.Runtime via StandardEvaluationContext to perform arbitrary commands (RCE). Authentication bypass concerns exist via CVE-20...