CVE-2022-39359

2022-10-2619:15:12

CWE-601

CWE-200

[email protected]

web.nvd.nist.gov

metabase

cve-2022-39359

data visualization

security

patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.2%

JSON

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

Affected configurations

Vulners

NVD

Node

metabasemetabaseRange<0.41.9

metabasemetabaseRange0.42.0–0.42.6

metabasemetabaseRange0.43.0–0.43.7

metabasemetabaseRange0.44.0–0.44.5

metabasemetabaseRange1.0.0–1.41.9

metabasemetabaseRange1.42.0–1.42.6

metabasemetabaseRange1.43.0–1.43.7

metabasemetabaseRange1.44.0–1.44.5

VendorProductVersionCPE
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::

CNA Affected

[
  {
    "vendor": "metabase",
    "product": "metabase",
    "versions": [
      {
        "version": "< 0.41.9",
        "status": "affected"
      },
      {
        "version": ">= 0.42.0, < 0.42.6",
        "status": "affected"
      },
      {
        "version": ">= 0.43.0, < 0.43.7",
        "status": "affected"
      },
      {
        "version": ">= 0.44.0, < 0.44.5",
        "status": "affected"
      },
      {
        "version": ">= 1.0.0, < 1.41.9",
        "status": "affected"
      },
      {
        "version": ">= 1.42.0, < 1.42.6",
        "status": "affected"
      },
      {
        "version": ">= 1.43.0, < 1.43.7",
        "status": "affected"
      },
      {
        "version": ">= 1.44.0, < 1.44.5",
        "status": "affected"
      }
    ]
  }
]