CVE-2022-39359
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| metabase | metabase | < 0.41.9 | affected |
| metabase | metabase | >= 0.42.0, < 0.42.6 | affected |
| metabase | metabase | >= 0.43.0, < 0.43.7 | affected |
| metabase | metabase | >= 0.44.0, < 0.44.5 | affected |
| metabase | metabase | >= 1.0.0, < 1.41.9 | affected |
| metabase | metabase | >= 1.42.0, < 1.42.6 | affected |
| metabase | metabase | >= 1.43.0, < 1.43.7 | affected |
| metabase | metabase | >= 1.44.0, < 1.44.5 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4
- https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4
- https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.