fkie_cve-2024-28255
Vulnerability from fkie_nvd
Published
2024-03-15 20:15
Modified
2024-11-21 09:06
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
References
security-advisories@github.comhttps://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111
security-advisories@github.comhttps://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113
security-advisories@github.comhttps://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84
af854a3a-2127-422b-91ae-364da2661108https://www.vicarius.io/vsociety/posts/authentication-bypass-with-path-parameter-in-openmetadata-cve-2024-28255
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request\u0027s path is checked against this list. When the request\u0027s path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`."
    },
    {
      "lang": "es",
      "value": "OpenMetadata es una plataforma unificada para el descubrimiento, la observabilidad y la gobernanza impulsada por un repositorio central de metadatos, un linaje profundo y una colaboraci\u00f3n fluida en equipo. El `JwtFilter` maneja la autenticaci\u00f3n API solicitando y verificando tokens JWT. Cuando llega una nueva solicitud, la ruta de la solicitud se compara con esta lista. Cuando la ruta de la solicitud contiene cualquiera de los endpoints excluidos, el filtro regresa sin validar el JWT. Desafortunadamente, un atacante puede usar par\u00e1metros de ruta para hacer que cualquier ruta contenga cadenas arbitrarias. Por ejemplo, una solicitud para `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` coincidir\u00e1 con la condici\u00f3n del endpoint excluido y, por lo tanto, se procesar\u00e1 sin validaci\u00f3n JWT, lo que permitir\u00e1 a un atacante eludir el mecanismo de autenticaci\u00f3n y llegar a cualquier endpoint arbitrario, incluidos los enumerados anteriormente que conducen a la inyecci\u00f3n de expresi\u00f3n SpEL arbitraria. Esta omisi\u00f3n no funcionar\u00e1 cuando el endpoint utilice `SecurityContext.getUserPrincipal()` ya que devolver\u00e1 `null` y generar\u00e1 un NPE. Este problema puede provocar una omisi\u00f3n de autenticaci\u00f3n y se solucion\u00f3 en la versi\u00f3n 1.2.4. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Este problema tambi\u00e9n se rastrea como \"GHSL-2023-237\"."
    }
  ],
  "id": "CVE-2024-28255",
  "lastModified": "2024-11-21T09:06:06.550",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-15T20:15:10.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-with-path-parameter-in-openmetadata-cve-2024-28255"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.