org.open-metadata:openmetadata-service 1.1.7 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.open-metadata:openmetadata-service package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Code Injection Affected versions of this package are vulnerable to Code Injection due to the evaluation of SpEL expressions in an unauthorized context. An attacker can execute arbitrary code on the server by sending a specially crafted PUT request to `/api/v1/policies`. How to fix Code Injection? Upgrade `org.open-metadata:openmetadata-service` to version 1.3.1 or higher.	[,1.3.1)
C Improper Authentication Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of JWT tokens in the `JwtFilter` component. Specifically, the mechanism that checks the request's path against a list of excluded endpoints fails to properly validate JWTs if the request's path includes any excluded endpoints via path parameters. This flaw allows an attacker to bypass authentication by crafting a request that includes arbitrary strings in the path, effectively matching the excluded endpoint condition and proceeding without JWT validation. This vulnerability enables unauthorized access to any endpoint without proper authentication. How to fix Improper Authentication? Upgrade `org.open-metadata:openmetadata-service` to version 1.2.4 or higher.	[,1.2.4)
H Remote Code Execution (RCE) Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to the improper validation of user-supplied input in the `prepare` method. An attacker can execute arbitrary code by sending a specially crafted PUT request to `/api/v1/events/subscriptions`. How to fix Remote Code Execution (RCE)? Upgrade `org.open-metadata:openmetadata-service` to version 1.2.4 or higher.	[,1.2.4)
H Expression Language Injection Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in `CompiledRule::validateExpression` using `getValue`, which uses the `StandardEvaluationContext`. This allows the expression to use internal classes such as `java.lang.Runtime` and execute arbitrary system commands on the underlaying operating system. In addition, `Authorizer.authorize()` is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions. How to fix Expression Language Injection? Upgrade `org.open-metadata:openmetadata-service` to version 1.2.4 or higher.	[,1.2.4)
H Expression Language Injection Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in `‎AlertUtil::validateExpression` using `getValue`, which uses the `StandardEvaluationContext`. This allows the expression to use internal classes such as `java.lang.Runtime` and execute arbitrary system commands on the underlaying operating system. In addition, `Authorizer.authorize()` is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions. How to fix Expression Language Injection? Upgrade `org.open-metadata:openmetadata-service` to version 1.2.4 or higher.	[,1.2.4)

Vulnerability

Vulnerable Version

Code Injection

Affected versions of this package are vulnerable to Code Injection due to the evaluation of SpEL expressions in an unauthorized context. An attacker can execute arbitrary code on the server by sending a specially crafted PUT request to /api/v1/policies.

How to fix Code Injection?

Upgrade org.open-metadata:openmetadata-service to version 1.3.1 or higher.

[,1.3.1)

Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of JWT tokens in the JwtFilter component. Specifically, the mechanism that checks the request's path against a list of excluded endpoints fails to properly validate JWTs if the request's path includes any excluded endpoints via path parameters. This flaw allows an attacker to bypass authentication by crafting a request that includes arbitrary strings in the path, effectively matching the excluded endpoint condition and proceeding without JWT validation. This vulnerability enables unauthorized access to any endpoint without proper authentication.

How to fix Improper Authentication?

Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

[,1.2.4)

Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to the improper validation of user-supplied input in the prepare method. An attacker can execute arbitrary code by sending a specially crafted PUT request to /api/v1/events/subscriptions.

How to fix Remote Code Execution (RCE)?

Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

[,1.2.4)

Expression Language Injection

Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in CompiledRule::validateExpression using getValue, which uses the StandardEvaluationContext. This allows the expression to use internal classes such as java.lang.Runtime and execute arbitrary system commands on the underlaying operating system.

In addition, Authorizer.authorize() is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions.

How to fix Expression Language Injection?

Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

[,1.2.4)

Expression Language Injection

Affected versions of this package are vulnerable to Expression Language Injection due to unchecked SpEL evaluation in ‎AlertUtil::validateExpression using getValue, which uses the StandardEvaluationContext. This allows the expression to use internal classes such as java.lang.Runtime and execute arbitrary system commands on the underlaying operating system.

In addition, Authorizer.authorize() is never called on the affected path, so authenticated users can trigger this endpoint and evaluate arbitrary SpEL expressions.

How to fix Expression Language Injection?

Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

[,1.2.4)

org.open-metadata:openmetadata-service@1.1.7 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?