5 matches found
OpenMetadata vulnerable to a SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` (`GHSL-2023-236`)
SpEL Injection in GET /api/v1/policies/validation/condition/ GHSL-2023-236 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and...
CVE-2024-28848
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...
CVE-2024-28848 SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...
CVE-2024-28848 SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The CompiledRule::validateExpression method evaluates an SpEL expression using an StandardEvaluationContext, allowing the...
CVE-2024-28848
CVE-2024-28848 is a SpEL injection vulnerability in OpenMetadata's GET /api/v1/policies/validation/condition/. The CompiledRule.validateExpression flow evaluates user-supplied SpEL against Java types (e.g., Runtime), enabling remote code execution. The issue is exploitable by authenticated non-ad...