We use cookies to improve site navigation, analyze site usage, and enhance your user experience. Click "Accept" to enable cookies or "Reject" to reject cookies.
This page lists all security vulnerabilities fixed in released versions of OpenMetadata.
This CVE identifies a vulnerability in JWTFilter which could be used to bypass authentication checks for few API endpoints.
| Versions affected | 0.3.0 - 1.2.3 |
| Fixed versions | 1.2.4 and Later |
| Severity | Critical |
| Impact | This issue may lead to authentication bypass. |
| Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
| Issue Fixed | Jan 5th 2024 |
| Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/policies/validation/condition to remotely execute code on the server.
| Versions affected | 0.3.0 - 1.2.3 |
| Fixed versions | 1.2.4 and Later |
| Severity | Moderate |
| Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
| Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
| Issue Fixed | Jan 5th 2024 |
| Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint /api/v1/events/subscriptions to remotely execute code on the server.
| Versions affected | 0.3.0 - 1.2.3 |
| Fixed versions | 1.2.4 and Later |
| Severity | Moderate |
| Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
| Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
| Issue Fixed | Jan 5th 2024 |
| Issue announced | March 16th 2024 |
This CVE identified a flaw where it allows the registered users and authenticated users to exploit the API endpoint GET /api/v1/events/subscriptions/validation/condition/<expr>to remotely execute code on the server.
| Versions affected | All AK versions |
| Versions affected | 0.3.0 - 1.2.3 |
| Fixed versions | 1.2.4 and Later |
| Severity | High |
| Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
| Advice | We advise all OpenMetadata users to promptly upgrade to (>=1.2.4) to mitigate this vulnerability. |
| Issue Fixed | Jan 5th 2024 |
| Issue announced | March 16th 2024 |
A possible security vulnerability has been identified in OpenMetadata SPeL rule evalaution. This requires access OpenMetadata APIs as an authenticated user. A authenticated user can send PUT request with a malicious payload to execute a JVM method and run a code on the server.
| Versions affected | 0.3.0 - 1.3.0 |
| Fixed versions | 1.3.1 and Later |
| Severity | Moderate |
| Impact | This issue may lead to Remote Code Execution by an Registered and Authenticated User. |
| Advice | We advise all OpenMetadata users to upgrade to (>=1.3.1) to mitigate this vulnerability. |
| Issue Fixed | Mar 1st 2024 |
| Issue announced | March 16th 2024 |