Vulnerability Description
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | >= 0.41.0, < 0.41.9 |
Related Weaknesses (CWE)
References
- https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5PatchThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4Third Party Advisory
- https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5PatchThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4Third Party Advisory
FAQ
What is CVE-2022-39359?
CVE-2022-39359 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that w...
How severe is CVE-2022-39359?
CVE-2022-39359 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39359?
Check the references section above for vendor advisories and patch information. Affected products include: Metabase Metabase.