Q: Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-94** (Code Injection). The vulnerability stems from unsafe handling of Spring Expression Language (SpEL) in `CompiledRule.java`. ⚠️ User input is likely evaluated directly without sanitization.

Q: Who is affected? (Versions/Components)

👥 **Affected**: **OpenMetadata** versions **prior to 1.2.4**. 📦 Component: `openmetadata-service` / Policy Evaluator. 📅 Published: 2024-03-15.

Q: What can hackers do? (Privileges/Data)

💻 **Attacker Actions**: Full **Remote Code Execution**. 🕵️♂️ Can access sensitive data, modify system state, and compromise the entire infrastructure. CVSS Score indicates **High** impact across all metrics.

Q: Is exploitation threshold high? (Auth/Config)

🔓 **Threshold**: **Low**. 🌐 Network Accessible (AV:N). ⚖️ Requires **Low Privileges** (PR:L) but **No User Interaction** (UI:N). 🚫 Authentication is likely required, but the bar is low.

Q: Is there a public Exp? (PoC/Wild Exploitation)

🧪 **Public Exploit**: **No**. 📭 The `pocs` array is empty in the data. 🚫 No known wild exploitation or public PoC provided in this dataset.

Q: How to self-check? (Features/Scanning)

🔍 **Self-Check**: Scan for OpenMetadata instances. 🕵️♀️ Check if version is **< 1.2.4**. 📡 Monitor API calls to `/api/v1/policies/validation/condition/` for SpEL payloads (e.g., `T(java.lang.Runtime)...`).

Q: Is it fixed officially? (Patch/Mitigation)

✅ **Fixed**: **Yes**. 🛠️ Upgrade to **OpenMetadata 1.2.4** or later. 📜 Official advisory: GHSA-5xv3-fm7g-865r. 🔗 See GitHub source links for details.

Q: What if no patch? (Workaround)

🚧 **No Patch?**: Implement **WAF rules** to block SpEL syntax in API parameters. 🛑 Restrict access to the `/policies/validation/condition/` endpoint. 🧱 Input validation at the application layer.

Q: Is it urgent? (Priority Suggestion)

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Vector: `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. 🏃♂️ Immediate patching recommended due to RCE risk and low exploitation barrier.

Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **Essence**: OpenMetadata < 1.2.4 has a **SpEL Injection** flaw in `GET /api/v1/policies/validation/condition/`. 📉 **Consequences**: Attackers can execute **Remote Code Execution (RCE)** on the server.…

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause**: **CWE-94** (Code Injection). The vulnerability stems from unsafe handling of Spring Expression Language (SpEL) in `CompiledRule.java`. ⚠️ User input is likely evaluated directly without sanitization.

Question 3

Who is affected? (Versions/Components)

Accepted Answer

👥 **Affected**: **OpenMetadata** versions **prior to 1.2.4**. 📦 Component: `openmetadata-service` / Policy Evaluator. 📅 Published: 2024-03-15.

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

💻 **Attacker Actions**: Full **Remote Code Execution**. 🕵️‍♂️ Can access sensitive data, modify system state, and compromise the entire infrastructure. CVSS Score indicates **High** impact across all metrics.

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

🔓 **Threshold**: **Low**. 🌐 Network Accessible (AV:N). ⚖️ Requires **Low Privileges** (PR:L) but **No User Interaction** (UI:N). 🚫 Authentication is likely required, but the bar is low.

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

🧪 **Public Exploit**: **No**. 📭 The `pocs` array is empty in the data. 🚫 No known wild exploitation or public PoC provided in this dataset.

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **Self-Check**: Scan for OpenMetadata instances. 🕵️‍♀️ Check if version is **< 1.2.4**. 📡 Monitor API calls to `/api/v1/policies/validation/condition/` for SpEL payloads (e.g., `T(java.lang.Runtime)...`).

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

✅ **Fixed**: **Yes**. 🛠️ Upgrade to **OpenMetadata 1.2.4** or later. 📜 Official advisory: GHSA-5xv3-fm7g-865r. 🔗 See GitHub source links for details.

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **No Patch?**: Implement **WAF rules** to block SpEL syntax in API parameters. 🛑 Restrict access to the `/policies/validation/condition/` endpoint. 🧱 Input validation at the application layer.

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Vector: `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. 🏃‍♂️ Immediate patching recommended due to RCE risk and low exploitation barrier.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-28848 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring