CrowdSec
5/10CrowdSec Score

OpenMetadata - Authentication Bypass (CVE-2024-28255)

Published on15-03-2024
First seen on23-11-2024

207Exploiting IPs reported

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.

CrowdSec analysis

CVE-2024-28255 is a critical vulnerability in OpenMetadata that allows attackers to bypass API authentication by manipulating certain request paths, potentially leading to arbitrary SpEL expression injection and full compromise of the system.

CrowdSec has been tracking this vulnerability and its exploits since 15th of December 2023.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2024-28255 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2024-28255 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2024-28255 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Exploitation attempts frequently involve URLs containing /api/v1;v1/users/login/events/subscriptions/validation/condition.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.