CVE-2022-39359: Metabase's GeoJSON validation doesn't prevent redirects to blocked URLs
First published: Wed Oct 26 2022(Updated: )
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Metabase | >=0.41.0<0.41.9 | |
| Metabase | >=0.42.0<0.42.6 | |
| Metabase | >=0.43.0<0.43.7 | |
| Metabase | >=0.44.0<0.44.5 | |
| Metabase | >=1.41.0<1.41.9 | |
| Metabase | >=1.42.0<1.42.6 | |
| Metabase | >=1.43.0<1.43.7 | |
| Metabase | >=1.44.0<1.44.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-39359?
CVE-2022-39359 is a vulnerability in Metabase data visualization software that allows custom GeoJSON map URLs to follow redirects to disallowed addresses.
What versions of Metabase are affected by CVE-2022-39359?
Metabase versions 0.41.0 to 0.41.9, 0.42.0 to 0.42.6, 0.43.0 to 0.43.7, 0.44.0 to 0.44.5, 1.41.0 to 1.41.9, 1.42.0 to 1.42.6, 1.43.0 to 1.43.7, and 1.44.0 to 1.44.5 are affected by CVE-2022-39359.
What is the severity of CVE-2022-39359?
CVE-2022-39359 has a severity value of 6.5 which is considered medium.
How can I fix CVE-2022-39359?
To fix CVE-2022-39359, upgrade to Metabase versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9 which have the patch for this vulnerability.
Where can I find more information about CVE-2022-39359?
You can find more information about CVE-2022-39359 on the Metabase GitHub repository and the Metabase security advisories page.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/title
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/metabase
- canonical/metabase
- version/metabase/0.41.0
- version/metabase/0.42.0
- version/metabase/0.43.0
- version/metabase/0.44.0
- version/metabase/1.41.0
- version/metabase/1.42.0
- version/metabase/1.43.0
- version/metabase/1.44.0