OpenMetaData - SpEL Injection in PUT /api/v1/policies

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...

OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)

SpEL Injection in PUT /api/v1/policies GHSL-2023-252 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from...

CVE-2024-28253 SpEL Injection in `PUT /api/v1/policies` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...

CVE-2024-28253

OpenMetadata (policy handling) is affected by a SpEL injection in PUT /api/v1/policies. The vulnerability arises because SpEL expressions are evaluated in PolicyRepository.prepare() before authorization checks, allowing an attacker to craft a policy payload that executes arbitrary code via a runt...

CVE-2024-28253 SpEL Injection in `PUT /api/v1/policies` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...