Description
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
EPSS Score:
92%
Comprehensive Technical Analysis of EUVD-2024-25354
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
The vulnerability in OpenMetadata's JwtFilter allows an attacker to bypass JWT authentication by manipulating the request path to include excluded endpoints. This can lead to unauthorized access to various endpoints, including those that may allow arbitrary SpEL (Spring Expression Language) expression injection.
Severity Evaluation:
- CVSS Base Score: 9.8
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The high CVSS score indicates a critical vulnerability due to its ease of exploitation (low complexity), lack of required privileges, and significant impact on confidentiality, integrity, and availability.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Path Parameter Manipulation: An attacker can craft a request path that includes excluded endpoints, bypassing JWT validation.
- Arbitrary SpEL Expression Injection: Once authentication is bypassed, the attacker can inject malicious SpEL expressions, leading to further exploitation.
Exploitation Methods:
- Example Request:
GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111- This request manipulates the path to include
v1/users/login, which is an excluded endpoint, thereby bypassing JWT validation.
- This request manipulates the path to include
3. Affected Systems and Software Versions
Affected Software:
- OpenMetadata versions prior to 1.2.4
Affected Systems:
- Any system running the vulnerable versions of OpenMetadata, particularly those exposed to the internet or accessible by untrusted users.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade: Upgrade to OpenMetadata version 1.2.4 or later, which addresses this vulnerability.
Additional Mitigations:
- Input Validation: Implement strict input validation to prevent path parameter manipulation.
- Monitoring: Enhance monitoring and logging to detect and respond to suspicious activities.
- Access Control: Limit access to critical endpoints and ensure proper authentication and authorization mechanisms are in place.
5. Impact on European Cybersecurity Landscape
Impact Analysis:
- Widespread Adoption: OpenMetadata is widely used for metadata management, making this vulnerability a significant risk for organizations relying on it.
- Data Breach Risk: The potential for authentication bypass and arbitrary code execution poses a high risk of data breaches and unauthorized access.
- Compliance Issues: Organizations may face compliance issues with regulations such as GDPR if sensitive data is compromised.
Regulatory and Compliance:
- GDPR Compliance: Ensure that personal data is protected and that any breaches are reported promptly.
- ENISA Guidelines: Follow ENISA guidelines for incident response and vulnerability management.
6. Technical Details for Security Professionals
Technical Overview:
- JwtFilter Mechanism: The
JwtFilteris responsible for validating JWT tokens for API requests. It checks the request path against a list of excluded endpoints. - Vulnerability Mechanism: The vulnerability arises from the way the filter handles path parameters, allowing an attacker to craft a request that bypasses JWT validation.
Code References:
- JwtFilter.java:
- Line 111: The code checks the request path against excluded endpoints.
- Line 113: The code processes the request without JWT validation if the path matches an excluded endpoint.
References:
Conclusion: This vulnerability in OpenMetadata is critical and requires immediate attention. Organizations should prioritize upgrading to the patched version and implement additional security measures to mitigate the risk. The potential impact on data security and compliance underscores the importance of prompt action.