Lucene search
+L

223 matches found

OSV
OSV
added 2024/04/24 5:6 p.m.2 views

GHSA-5XV3-FM7G-865R OpenMetadata vulnerable to a SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`)

SpEL Injection in GET /api/v1/policies/validation/condition/ GHSL-2023-236 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and...

8.8CVSS6.3AI score0.07888EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2024/04/24 5:6 p.m.37 views

OpenMetadata vulnerable to a SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`)

SpEL Injection in GET /api/v1/policies/validation/condition/ GHSL-2023-236 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and...

8.8CVSS8.9AI score0.07888EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2024/04/24 5:6 p.m.43 views

OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)

SpEL Injection in PUT /api/v1/events/subscriptions GHSL-2023-251 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...

8.8CVSS8AI score0.02372EPSS
Exploits1References9Affected Software1
OSV
OSV
added 2024/04/23 9:11 p.m.9 views

GHSA-7VF4-X5M2-R6GR OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)

SpEL Injection in PUT /api/v1/policies GHSL-2023-252 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from...

9.4CVSS6AI score0.12527EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2024/04/23 9:11 p.m.36 views

OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)

SpEL Injection in PUT /api/v1/policies GHSL-2023-252 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from...

9.4CVSS9.8AI score0.12527EPSS
Exploits0References9Affected Software1
The Hacker News
The Hacker News
added 2024/04/18 5:54 a.m.70 views

Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the...

9.8CVSS8.2AI score0.73255EPSS
Exploits9
VulnCheck KEV
VulnCheck KEV
added 2024/04/17 12:0 a.m.2 views

VulnCheck KEV: CVE-2024-28848

The OpenMetadata CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext which allows the expression to reach and interact with Java classes such as java.lang.Runtime and leading to Remote Code Execution. The...

8.8CVSS7.5AI score0.07888EPSS
Exploits0References1
Broadcom
Broadcom
added 2024/04/16 12:0 a.m.58 views

Spring Expression DoS Vulnerability (CVE-2023-20863)

In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

6.5CVSS7AI score0.01122EPSS
Exploits0Affected Software1
Veracode
Veracode
added 2024/03/26 6:47 a.m.25 views

Expression Language Injection

OpenMetadata is vulnerable to Expression Language Injection. The vulnerability is due to in validateExpression function evaluates SpEL expressions using a StandardEvaluationContext, This enabling interaction with Java classes like java.lang.Runtime, ultimately resulting in Remote Code Execution...

8.8CVSS7.2AI score0.07888EPSS
Exploits0References6Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2024/03/22 4:5 p.m.35 views

Security Bulletin: Vulnerability in Spring Data MongoDB might affect IBM Storage Copy Data Management. [CVE-2022-22980]

Summary IBM Storage Copy Data Management can be affected by a vulnerability in Spring Data MongoDB. A remote attacker could exploit this vulnerability to execute arbitrary code on the system as described by the CVEs in the "Vulnerability Details" section. Vulnerability Details CVEID:CVE-2022-2298...

9.8CVSS9.6AI score0.16771EPSS
Exploits3Affected Software1
Veracode
Veracode
added 2024/03/22 7:7 a.m.25 views

SpEL Injection

OpenMetadata is vulnerable to SpEL Injection. This vulnerability is due to insufficient input validation within the EventSubscriptionRepository.prepare method, which allows an attacker to inject a specially crafted SpEL statement to the api/v1/events/subscriptions endpoint, which can result in...

8.8CVSS7.4AI score0.02372EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/03/20 7:54 a.m.33 views

SpEL Injection

OpenMetadata is vulnerable to Expression Language SpEL Injection. The vulnerability is caused due to a lack of validation of user-controlled data within the AlertUtil::validateExpression method, which allows the execution of arbitrary system commands through user-controlled data, leading to Remot...

8.8CVSS9AI score0.45725EPSS
Exploits3References6Affected Software1
Vulnrichment
Vulnrichment
added 2024/03/15 7:55 p.m.20 views

CVE-2024-28848 SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The ‎CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...

8.8CVSS8.5AI score0.07888EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/03/15 7:55 p.m.51 views

CVE-2024-28848 SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The ‎CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...

8.8CVSS9.6AI score0.07888EPSS
Exploits0References4
OSV
OSV
added 2024/03/15 7:55 p.m.18 views

CVE-2024-28848 SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The ‎CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...

8.8CVSS9AI score0.07888EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2024/03/15 7:55 p.m.44 views

CVE-2024-28255 Authentication Bypass in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS7.8AI score0.73255EPSS
Exploits5References3
Cvelist
Cvelist
added 2024/03/15 7:55 p.m.44 views

CVE-2024-28255 Authentication Bypass in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS10AI score0.73255EPSS
Exploits5References3
Vulnrichment
Vulnrichment
added 2024/03/15 7:55 p.m.22 views

CVE-2024-28847 SpEL Injection in `PUT /api/v1/events/subscriptions` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, AlertUtil::validateExpression is also called from EventSubscriptionRepository.prepare,...

8.8CVSS7.7AI score0.02372EPSS
Exploits1References6
Cvelist
Cvelist
added 2024/03/15 7:55 p.m.42 views

CVE-2024-28847 SpEL Injection in `PUT /api/v1/events/subscriptions` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, AlertUtil::validateExpression is also called from EventSubscriptionRepository.prepare,...

8.8CVSS9.2AI score0.02372EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2024/03/15 7:55 p.m.18 views

CVE-2024-28254 SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The ‎AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...

8.8CVSS8.9AI score0.45725EPSS
Exploits3References5
Rows per page
Query Builder