Security researcher Alvaro Muñoz of the GHSL team has uncovered multiple critical vulnerabilities in OpenMetadata, an open-source metadata management platform. The flaws, if exploited, could allow remote code execution and authentication bypass attacks against OpenMetadata deployments.
The issues, disclosed on March 14th, 2024, have been assigned five CVE identifiers - CVE-2024-28253, CVE-2024-28847, CVE-2024-28254, CVE-2024-28848, and CVE-2024-28255.
At the heart of the vulnerabilities is OpenMetadata's use of the Spring Expression Language (SpEL), which allows the execution of embedded expressions within the application code. Several API endpoints failed to properly sanitize user-supplied SpEL expressions, enabling malicious payloads that could trigger arbitrary code execution on the host system.
The vulnerable endpoints include
GET /api/v1/events/subscriptions/validation/condition/
PUT /api/v1/events/subscriptions
GET /api/v1/policies/validation/condition/
PUT /api/v1/policies.
In all cases, an authenticated user could send a crafted request containing a malicious SpEL expression which would then be executed by the application.
Furthermore, Muñoz discovered an authentication bypass vulnerability (CVE-2024-28255) in OpenMetadata's JWT handling. By including specific path traversal sequences in API requests, an attacker could circumvent the authentication checks enforced by the JwtFilter component.
While the vulnerabilities require an authenticated user, they highlight significant security lapses that could be exploited by malicious insiders or in case of compromised user accounts. Remote code execution is one of the most severe issues faced by web applications, often leading to complete system compromise.
OpenMetadata has released fixes for the disclosed vulnerabilities as part of their December 2023 update. However, the project has requested additional time before full public disclosure to allow users to apply the patches across their deployments.
Users and organizations running OpenMetadata are strongly advised to update to the latest patched version immediately and review their security posture. The flaws underscore the importance of robust input validation and proper security hardening, even in open-source projects.
The disclosure also serves as a reminder of the risks involved in using interpreted languages and execution environments within applications. While developer frameworks like SpEL offer powerful capabilities, they must be employed with appropriate safeguards to prevent injection vulnerabilities.