CVE-2024-28254

Summary

CVE-2024-28254 is a Remote Code Execution vulnerability in OpenMetadata's `AlertUtil::validateExpression` method. This method evaluates a Spring Expression Language (SpEL) expression using the default `StandardEvaluationContext`, allowing it to interact with Java classes like `java.lang.Runtime`. The `/api/v1/events/subscriptions/validation/condition/<expression>` endpoint accepts user-controlled data for this method, enabling authenticated non-admin users to execute arbitrary system commands on the underlying operating system without proper authorization checks. The vulnerability was identified using CodeQL's Expression language injection query and is also known as `GHSL-2023-235`. This issue has been resolved in version 1.2.4, and users are advised to upgrade as there are currently no known workarounds.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.