Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39359: GeoJSON validation doesn't prevent redirects to blocked URLs

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

CVE
Open in Source
#js#git

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.44.5,<x.43.7,<x.42.6,<x.41.9

Patched versions

0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9

Description

Impact

Custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed (like link-local or private-network).

Patches

The following patches (or greater versions) are available:

  • 0.44.5 and 1.44.5,
  • 0.43.7 and 1.43.7,
  • 0.42.6 and 1.42.6,
  • 0.41.9 and 1.41.9

All releases are available on https://github.com/metabase/metabase/releases.

Mitigation

Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

Credits

Reported by Ronan Donohue of https://Tenable.com via security@ email.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE