CVE-2024-28847
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2024-28847 is a Remote Code Execution vulnerability affecting OpenMetadata, a platform for discovery, observability, and governance. The issue lies in the `AlertUtil::validateExpression` function, which is called from `EventSubscriptionRepository.prepare()`, a method that is part of the workflow leading from `EntityResource.createOrUpdate()`. An attacker can exploit this vulnerability by sending a malicious PUT request to `/api/v1/events/subscriptions`, triggering the affected function. Although an authorization check is present, it takes place after the SpEL expression has been evaluated, rendering it ineffective. The vulnerability was discovered using CodeQL's Expression language injection query and was addressed in version 1.2.4. There are currently no known workarounds for this issue, and users are advised to upgrade as soon as possible.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.