CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%
OpenMetadata is vulnerable to Expression Language (SpEL) Injection. The vulnerability is caused due to a lack of validation of user-controlled data within the AlertUtil::validateExpression
method, which allows the execution of arbitrary system commands through user-controlled data, leading to Remote Code Execution.
codeql.github.com/codeql-query-help/java/java-spel-expression-injection
codeql.github.com/codeql-query-help/java/java-spel-expression-injection/
github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L101
github.com/open-metadata/OpenMetadata/blob/84054a85d3478e3e3795fe92daa633ec11c9d6d9/openmetadata-service/src/main/java/org/openmetadata/service/events/subscription/AlertUtil.java#L108
github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gw
github.com/spring-projects/spring-framework/blob/4e2d3573189b7c0afce62bce29cd915de4077f56/spring-expression/src/main/java/org/springframework/expression/spel/standard/SpelExpression.java#L106