This page lists all security vulnerabilities fixed in released versions of OpenMetadata.
This CVE identifies a vulnerability in JWTFilter which could be used to bypass authentication checks for few API endpoints.
Versions affected | 0.3.0 - 1.2.3 |
Fixed versions | 1.2.4 and Later |
Severity | Critical |
Impact | This issue may lead to authentication bypass. |
Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
Issue Fixed | Jan 5th 2024 |
Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/policies/validation/condition to remotely execute code on the server.
Versions affected | 0.3.0 - 1.2.3 |
Fixed versions | 1.2.4 and Later |
Severity | Moderate |
Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
Issue Fixed | Jan 5th 2024 |
Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/events/subscriptions to remotely execute code on the server.
Versions affected | 0.3.0 - 1.2.3 |
Fixed versions | 1.2.4 and Later |
Severity | Moderate |
Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
Issue Fixed | Jan 5th 2024 |
Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint GET /api/v1/events/subscriptions/validation/condition/<expr>to remotely execute code on the server.
Versions affected | All AK versions |
Versions affected | 0.3.0 - 1.2.3 |
Fixed versions | 1.2.4 and Later |
Severity | High |
Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
Issue Fixed | Jan 5th 2024 |
Issue announced | March 16th 2024 |
A possible security vulnerability has been identified in OpenMetadata SPeL rule evalaution. This requires access OpenMetadata APIs as an authenticated user. A authenticated user can send PUT request with a malicious payload to execute a JVM method and run a code on the server.
Versions affected | 0.3.0 - 1.3.0 |
Fixed versions | 1.3.1 and Later |
Severity | Moderate |
Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
Advice | We advise all OpenMetadata users to upgrade to (>=1.3.1) to mitigate this vulnerability. |
Issue Fixed | Mar 1st 2024 |
Issue announced | March 16th 2024 |