<p>Upgrade <code>org.open-metadata:openmetadata-service</code> to version 1.2.4 or higher.</p>

Improper Authentication Affecting org.open-metadata:openmetadata-service package, versions [,1.2.4)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.09% (36^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGOPENMETADATA-6457281
published 18 Mar 2024
disclosed 18 Mar 2024
credit pwntester

Report a new vulnerability Found a mistake?

Introduced: 18 Mar 2024

CVE-2024-28255 Open this link in a new tab CWE-287 Open this link in a new tab

How to fix?

Upgrade org.open-metadata:openmetadata-service to version 1.2.4 or higher.

Overview

Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of JWT tokens in the JwtFilter component. Specifically, the mechanism that checks the request's path against a list of excluded endpoints fails to properly validate JWTs if the request's path includes any excluded endpoints via path parameters. This flaw allows an attacker to bypass authentication by crafting a request that includes arbitrary strings in the path, effectively matching the excluded endpoint condition and proceeding without JWT validation. This vulnerability enables unauthorized access to any endpoint without proper authentication.