Skip to content

GeoJSON validation doesn't prevent redirects to blocked URLs

High
ranquild published GHSA-w5j7-4mgm-77f4 Oct 24, 2022

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.44.5,<x.43.7,<x.42.6,<x.41.9

Patched versions

0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9

Description

Impact

Custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed (like link-local or private-network).

Patches

The following patches (or greater versions) are available:

  • 0.44.5 and 1.44.5,
  • 0.43.7 and 1.43.7,
  • 0.42.6 and 1.42.6,
  • 0.41.9 and 1.41.9

All releases are available on https://github.com/metabase/metabase/releases.

Mitigation

Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

Credits

Reported by Ronan Donohue of https://Tenable.com via security@ email.

Severity

High

CVE ID

CVE-2022-39359

Weaknesses