CVE-2022-39359

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
metabasemetabase
0.41.0 ≤
𝑥
< 0.41.9
metabasemetabase
0.42.0 ≤
𝑥
< 0.42.6
metabasemetabase
0.43.0 ≤
𝑥
< 0.43.7
metabasemetabase
0.44.0 ≤
𝑥
< 0.44.5
metabasemetabase
1.41.0 ≤
𝑥
< 1.41.9
metabasemetabase
1.42.0 ≤
𝑥
< 1.42.6
metabasemetabase
1.43.0 ≤
𝑥
< 1.43.7
metabasemetabase
1.44.0 ≤
𝑥
< 1.44.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e
https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4
https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e
https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4