CVE-2024-28255

{"id": "CVE-2024-28255", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-03-15T20:15:10.270", "references": [{"url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-with-path-parameter-in-openmetadata-cve-2024-28255", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`."}, {"lang": "es", "value": "OpenMetadata es una plataforma unificada para el descubrimiento, la observabilidad y la gobernanza impulsada por un repositorio central de metadatos, un linaje profundo y una colaboraci\u00f3n fluida en equipo. El `JwtFilter` maneja la autenticaci\u00f3n API solicitando y verificando tokens JWT. Cuando llega una nueva solicitud, la ruta de la solicitud se compara con esta lista. Cuando la ruta de la solicitud contiene cualquiera de los endpoints excluidos, el filtro regresa sin validar el JWT. Desafortunadamente, un atacante puede usar par\u00e1metros de ruta para hacer que cualquier ruta contenga cadenas arbitrarias. Por ejemplo, una solicitud para `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` coincidir\u00e1 con la condici\u00f3n del endpoint excluido y, por lo tanto, se procesar\u00e1 sin validaci\u00f3n JWT, lo que permitir\u00e1 a un atacante eludir el mecanismo de autenticaci\u00f3n y llegar a cualquier endpoint arbitrario, incluidos los enumerados anteriormente que conducen a la inyecci\u00f3n de expresi\u00f3n SpEL arbitraria. Esta omisi\u00f3n no funcionar\u00e1 cuando el endpoint utilice `SecurityContext.getUserPrincipal()` ya que devolver\u00e1 `null` y generar\u00e1 un NPE. Este problema puede provocar una omisi\u00f3n de autenticaci\u00f3n y se solucion\u00f3 en la versi\u00f3n 1.2.4. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. Este problema tambi\u00e9n se rastrea como \"GHSL-2023-237\"."}], "lastModified": "2024-11-21T09:06:06.550", "sourceIdentifier": "security-advisories@github.com"}