Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (admin->settings->maps->custom maps->add a map
) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If youΓ’β¬β’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.