OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)

SpEL Injection in PUT /api/v1/events/subscriptions GHSL-2023-251 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...

CVE-2024-28253

OpenMetadata (policy handling) is affected by a SpEL injection in PUT /api/v1/policies. The vulnerability arises because SpEL expressions are evaluated in PolicyRepository.prepare() before authorization checks, allowing an attacker to craft a policy payload that executes arbitrary code via a runt...