OpenMetadata Security Update Advisory (CVE-2024-28254, CVE-2024-28255)

Apr 15 2024

Overview

We have released a security update to address a vulnerability in OpenMetadata. users of affected products are advised to update to the latest version.

Affected Products

Versions of OpenMetadata prior to 1.2.4

Resolved Vulnerabilities

SpEL injection vulnerability in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata (CVE-2024-28254)

Authentication bypass vulnerability in OpenMetadata (CVE-2024-28255)

Vulnerability Patches

vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

OpenMetadata version 1.2.4

Referenced Sites

[1] CVE-2024-28254 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-28254

{2] SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` (`GHSL-2023-235`)

https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-j86m-rrpr-g8gw

[3] CVE-2024-28255 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-28255

[4] Authentication Bypass (`GHSL-2023-237`)

https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84

OpenMetadata Security Update Advisory (CVE-2024-28254, CVE-2024-28255)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Palo Alto Networks (PAN-OS) Products April 2024 Security Update Advisory

Oracle Family Security Update Advisory

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

Palo Alto Networks (PAN-OS) Products April 2024 Security Update Advisory

Oracle Family Security Update Advisory