CVE-2024-28255

Comprehensive Technical Analysis of CVE-2024-28255

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2024-28255 CVSS Score: 9.8 Severity: Critical

The vulnerability in OpenMetadata's JwtFilter allows an attacker to bypass JWT authentication by manipulating the request path using path parameters. This can lead to unauthorized access to various endpoints, including those that may allow arbitrary SpEL (Spring Expression Language) expression injection. The high CVSS score of 9.8 indicates a critical vulnerability due to its potential for severe impact and ease of exploitation.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

• Authentication Bypass: An attacker can craft a request with path parameters that match excluded endpoints, bypassing JWT validation.
• Arbitrary SpEL Expression Injection: Once authentication is bypassed, the attacker can exploit endpoints that allow SpEL expression injection, leading to potential code execution or data manipulation.

Exploitation Methods:

• Path Parameter Manipulation: By including specific path parameters in the request URL, an attacker can make the request path match excluded endpoints, thus bypassing JWT validation.
• Example Exploit: A request like GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111 can bypass authentication and reach sensitive endpoints.

3. Affected Systems and Software Versions

Affected Software:

• OpenMetadata versions prior to 1.2.4.

Affected Systems:

• Any system running OpenMetadata that relies on the JwtFilter for API authentication.

4. Recommended Mitigation Strategies

Immediate Actions:

• Upgrade: Upgrade to OpenMetadata version 1.2.4 or later, which addresses this vulnerability.
• Monitoring: Implement monitoring and logging to detect unusual patterns in API requests, especially those involving path parameters.

Long-Term Strategies:

• Code Review: Conduct thorough code reviews to identify and mitigate similar vulnerabilities in other parts of the application.
• Security Training: Provide security training for developers to understand the risks associated with path parameter manipulation and authentication bypass techniques.
• Regular Updates: Ensure that all software dependencies are regularly updated to the latest versions to mitigate known vulnerabilities.

5. Impact on Cybersecurity Landscape

This vulnerability highlights the importance of robust input validation and secure coding practices. The ability to bypass authentication mechanisms through path parameter manipulation underscores the need for comprehensive security testing and code reviews. The critical nature of this vulnerability serves as a reminder for organizations to prioritize security updates and patches to protect against potential exploits.

6. Technical Details for Security Professionals

Vulnerability Details:

• Root Cause: The JwtFilter in OpenMetadata does not properly validate request paths, allowing path parameters to bypass JWT validation.
• Exploitation: An attacker can manipulate the request path to include excluded endpoints, thereby bypassing authentication.
• Mitigation: The issue has been addressed in version 1.2.4 by improving the path validation logic in the JwtFilter.

Code Reference:

• The vulnerability is located in the JwtFilter.java file, specifically around lines 111 and 113.
• Reference Links:
  • JwtFilter.java#L111
  • JwtFilter.java#L113
  • Security Advisory

Additional Resources:

• Vicarius.io Analysis

By addressing this vulnerability promptly and implementing robust security practices, organizations can significantly reduce the risk of unauthorized access and potential data breaches.