Executive Summary

In OpenMetadata versions prior to 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive sensitive information in the HTTP response. This includes the cleartext database password and the ingestion-bot JWT token.

The leaked ingestion-bot JWT token can then be reused by an attacker to access sensitive service APIs with bot-level privileges, allowing unauthorized access to confidential data and system functions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of database passwords and ingestion-bot JWT tokens to non-admin users.

An attacker with the leaked JWT token can access sensitive APIs with bot-level privileges, potentially retrieving or modifying database service configurations and metadata.

This compromises the confidentiality, integrity, and availability of the system, as indicated by the high CVSS score of 8.3.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the /api/v1/automations/workflows endpoint, specifically looking for TEST_CONNECTION workflow triggers by non-admin SSO users.

Detection involves inspecting the HTTP 201 responses for the presence of sensitive data such as cleartext database passwords in request.connection.config.password and ingestion bot JWT tokens in openMetadataServerConnection.securityConfig.jwtToken.

Network monitoring tools or proxy logs can be used to capture and analyze these HTTP requests and responses.

• Use curl or similar tools to manually test the endpoint: curl -X POST -H "Authorization: Bearer <non-admin SSO token>" https://<openmetadata-server>/api/v1/automations/workflows with a payload triggering TEST_CONNECTION and inspect the response for sensitive fields.
• Use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic to the /api/v1/automations/workflows endpoint and analyze responses.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade OpenMetadata to version 1.12.4 or later, where this vulnerability has been patched.

Additionally, configuring a Secrets Store to manage sensitive credentials securely can help reduce the risk of exposure.

Restricting non-admin SSO user permissions to prevent triggering the TEST_CONNECTION workflow can also mitigate exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a non-admin user to obtain cleartext database passwords and ingestion-bot JWT tokens, which can be used to access sensitive service APIs with elevated privileges. Such unauthorized access to confidential data and system integrity can lead to violations of data protection requirements under standards like GDPR and HIPAA.

Specifically, the exposure of sensitive credentials increases the risk of data breaches, unauthorized data access, and potential data modification, all of which are critical concerns for compliance with regulations that mandate strict controls over personal and sensitive information.

Mitigating this vulnerability by upgrading to the patched version or configuring a Secrets Store is essential to maintain compliance and protect sensitive data.

Useful 0 Not Useful 0