org.open-metadata:openmetadata-service@1.1.6 vulnerabilities

  • latest version

    1.5.11

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.open-metadata:openmetadata-service package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Code Injection

    Affected versions of this package are vulnerable to Code Injection due to the evaluation of SpEL expressions in an unauthorized context. An attacker can execute arbitrary code on the server by sending a specially crafted PUT request to /api/v1/policies.

    How to fix Code Injection?

    Upgrade org.open-metadata:openmetadata-service to version 1.3.1 or higher.

    [,1.3.1)
    • C
    Improper Authentication

    Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of JWT tokens in the JwtFilter component. Specifically, the mechanism that checks the request's path against a list of excluded endpoints fails to properly validate JWTs if the request's path includes any excluded endpoints via path parameters. This flaw allows an attacker to bypass authentication by crafting a request that includes arbitrary strings in the path, effectively matching the excluded endpoint condition and proceeding without JWT validation. This vulnerability enables unauthorized access to any endpoint without proper authentication.

    How to fix Improper Authentication?

    Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

    [,1.2.4)
    • H
    Remote Code Execution (RCE)

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to the improper validation of user-supplied input in the prepare method. An attacker can execute arbitrary code by sending a specially crafted PUT request to /api/v1/events/subscriptions.

    How to fix Remote Code Execution (RCE)?

    Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

    [,1.2.4)
    • H
    Expression Language Injection

    Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in CompiledRule::validateExpression using getValue, which uses the StandardEvaluationContext. This allows the expression to use internal classes such as java.lang.Runtime and execute arbitrary system commands on the underlaying operating system.

    In addition, Authorizer.authorize() is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions.

    How to fix Expression Language Injection?

    Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

    [,1.2.4)
    • H
    Expression Language Injection

    Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in ‎AlertUtil::validateExpression using getValue, which uses the StandardEvaluationContext. This allows the expression to use internal classes such as java.lang.Runtime and execute arbitrary system commands on the underlaying operating system.

    In addition, Authorizer.authorize() is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions.

    How to fix Expression Language Injection?

    Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

    [,1.2.4)