module
OpenMetadata authentication bypass and SpEL injection exploit chain
| Disclosed | Created |
|---|---|
| 03/15/2024 | 08/14/2024 |
Disclosed
03/15/2024
Created
08/14/2024
Description
OpenMetadata is a unified platform for discovery, observability, and governance powered
by a central metadata repository, in-depth lineage, and seamless team collaboration.
This module chains two vulnerabilities that exist in the OpenMetadata aplication.
The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
to make any path contain any arbitrary strings that will match the excluded endpoint condition
and therefore will be processed with no JWT validation allowing an attacker to bypass the
authentication mechanism and reach any arbitrary endpoint.
By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
at endpoint `/api/v1/events/subscriptions/validation/condition/`, attackers
are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
authentication.
OpenMetadata versions `1.2.3` and below are vulnerable.
by a central metadata repository, in-depth lineage, and seamless team collaboration.
This module chains two vulnerabilities that exist in the OpenMetadata aplication.
The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
to make any path contain any arbitrary strings that will match the excluded endpoint condition
and therefore will be processed with no JWT validation allowing an attacker to bypass the
authentication mechanism and reach any arbitrary endpoint.
By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
at endpoint `/api/v1/events/subscriptions/validation/condition/`, attackers
are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
authentication.
OpenMetadata versions `1.2.3` and below are vulnerable.
Authors
h00die-gr3y Alvaro Muñoz alias pwntester (https://github.com/pwntester)
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/openmetadata_auth_bypass_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.