漏洞标题
在OpenMetadata的`GET /api/v1/policies/validation/condition/<expr>`中进行SpEL注入
漏洞描述信息
OpenMetadata是一个统一的平台,用于发现、可观测性和治理,它由一个中心元数据存储库、深入的血缘关系和无缝团队协作提供动力。`CompiledRule::validateExpression`方法使用`StandardEvaluationContext`评估SpEL表达式,允许表达式访问并与其进行交互的Java类,如`java.lang.Runtime`,从而导致远程代码执行。受影响路径中从未调用`Authorizer.authorize()`的这个漏洞缺失了授权检查,因此任何经过身份验证但不是管理员的用户都能够触发此端点并评估任意SpEL表达式,导致任意命令执行。这个漏洞是在CodeQL的Expression语言注入(Spring)查询的帮助下发现的,并且也被跟踪为`GHSL-2023-236`。这个问题可能导致远程代码执行,已在1.2.4版本中解决。建议用户升级。目前尚未知此漏洞的工作绕过方法。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
对生成代码的控制不恰当(代码注入)
漏洞标题
SpEL Injection in `GET /api/v1/policies/validation/condition/<expr>` in OpenMetadata
漏洞描述信息
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/<expression>` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
对生成代码的控制不恰当(代码注入)
漏洞标题
OpenMetadata 安全漏洞
漏洞描述信息
OpenMetadata是一个统一的发现、可观察和治理平台,由中央元数据存储库、深入的沿袭和无缝团队协作提供支持。 OpenMetadata 1.2.4之前版本存在安全漏洞,该漏洞源于GET /api/v1/policies/validation/condition/中存在SpEL注入漏洞。攻击者可利用该漏洞执行远程代码。
CVSS信息
N/A
漏洞类别
其他