Lucene search

[email protected]NVD:CVE-2022-39359

HistoryOct 26, 2022 - 7:15 p.m.

CVE-2022-39359

2022-10-2619:15:12

CWE-200

CWE-601

[email protected]

web.nvd.nist.gov

metabase

data visualization

unauthorized redirects

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

Affected configurations

NVD

Node

metabasemetabaseRange0.41.0–0.41.9

metabasemetabaseRange0.42.0–0.42.6

metabasemetabaseRange0.43.0–0.43.7

metabasemetabaseRange0.44.0–0.44.5

metabasemetabaseRange1.41.0–1.41.9

metabasemetabaseRange1.42.0–1.42.6

metabasemetabaseRange1.43.0–1.43.7

metabasemetabaseRange1.44.0–1.44.5

References

github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e

github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for NVD:CVE-2022-39359

cve1 nessus1 cvelist1 prion1 osv1