4 matches found
CVE-2024-28254
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...
CVE-2024-28254 SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...
CVE-2024-28254 SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...
CVE-2024-28254
OpenMetadata CVE-2024-28254 is a SpEL injection at GET /api/v1/events/subscriptions/validation/condition/, allowed by AlertUtil::validateExpression, which can reach java.lang.Runtime via StandardEvaluationContext to perform arbitrary commands (RCE). Authentication bypass concerns exist via CVE-20...