Created
August 8, 2025 05:02
-
-
Save javadk/ed0d38e4578405672f154e289036a705 to your computer and use it in GitHub Desktop.
CVE-2025-50467
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can | |
| extract information from the database in function listCount in the | |
| TestDefinitionDAO interface. The supportedDataTypeParam parameter can | |
| be used to build a SQL query. | |
| ------------------------------------------ | |
| [Additional Information] | |
| ### Details | |
| The open-metadata project exposes the function listCount in TestDefinitionDAO interface at the API URL api/v1/dataQuality/testDefinitions. The supportedDataTypeParam parameter is directly used to build a SQL query in line 3527,3528 as it can be seen in the following snippet: | |
|  | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| SQL Injection | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| open-metadata | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| open-metadata 1.4.4 - =<1.4.4 | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Escalation of Privileges] | |
| true | |
| ------------------------------------------ | |
| [Impact Information Disclosure] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| ### Summary | |
| A SQL injection vulnerability exists in open-metadata 1.4.4 where an authenticated, low-privileged remote attacker could extract information from the database. | |
| ### Details | |
| The open-metadata project exposes the function listCount in TestDefinitionDAO interface at the API URL api/v1/dataQuality/testDefinitions. The supportedDataTypeParam parameter is directly used to build a SQL query in line 3527,3528 | |
| =========================================- | |
| [Reference] | |
| https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L3527 | |
| https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L3528 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment