Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41277: GeoJSON URL validation fix (#17990) · metabase/metabase@042a36e

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

CVE
#js

Expand Up

@@ -100,10 +100,18 @@

(testing “test the endpoint that fetches JSON files given a URL”

(is (= {:type “Point”

:coordinates [37.77986 -122.429]}

((mt/user->client :rasta) :get 200 “geojson” :url test-geojson-url))))

((mt/user->client :crowberto) :get 200 “geojson” :url test-geojson-url))))

(testing “error is returned if URL connection fails”

(is (= “GeoJSON URL failed to load”

((mt/user->client :rasta) :get 400 “geojson” :url test-broken-geojson-url))))))

((mt/user->client :crowberto) :get 400 “geojson” :url test-broken-geojson-url))))

(testing “error is returned if URL is invalid”

(is (= (str "Invalid GeoJSON file location: must either start with http:// or https:// or be a relative path to "

"a file on the classpath. URLs referring to hosts that supply internal hosting metadata are "

“prohibited.”)

((mt/user->client :crowberto) :get 400 “geojson” :url “file://tmp”))))

(testing “cannot be called by non-admins”

(is (= “You don’t have permissions to do that.”

((mt/user->client :rasta) :get 403 “geojson” :url test-geojson-url))))))

(deftest key-proxy-endpoint-test

(testing “GET /api/geojson/:key”

Expand All

@@ -120,9 +128,9 @@

(is (= {:type “Point”

:coordinates [37.77986 -122.429]}

(client/client :get 200 “geojson/middle-earth”))))

(testing “try fetching an invalid key; should fail”

(is (= “Invalid custom GeoJSON key: invalid-key”

((mt/user->client :rasta) :get 400 “geojson/invalid-key”)))))

(testing “try fetching an invalid key; should fail”

(is (= “Invalid custom GeoJSON key: invalid-key”

((mt/user->client :rasta) :get 400 “geojson/invalid-key”)))))

(mt/with-temporary-setting-values [custom-geojson test-broken-custom-geojson]

(testing “fetching a broken URL should fail”

(is (= “GeoJSON URL failed to load”

Expand Down

Related news

Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907