CVE-2022-43776: SSRF
First published: Wed Oct 26 2022(Updated: )
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Metabase Metabase | <0.44.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this Metabase vulnerability?
The vulnerability ID of this Metabase vulnerability is CVE-2022-43776.
What is the title of this Metabase vulnerability?
The title of this Metabase vulnerability is "The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks."
How can this vulnerability be exploited?
This vulnerability can be exploited by utilizing the url parameter of the /api/geojson endpoint in Metabase versions <44.5 to perform Server Side Request Forgery attacks.
What is the severity of this vulnerability?
The severity of this vulnerability is medium with a CVSS score of 6.5.
How can this vulnerability be fixed?
To fix this vulnerability, it is recommended to update Metabase to version 44.5 or higher.
- collector/nvd-index
- vendor/metabase
- canonical/metabase metabase