Skip to main content

Metabase CVE-2022-39359

MEDIUM
Information Exposure (CWE-200)
2022-10-26 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 26, 2022 - 19:15 nvd
MEDIUM 6.5

DescriptionNVD

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default).

AnalysisAI

Metabase is data visualization software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable MB_CUSTOM_GEOJSON_ENABLED was also added to disable custom GeoJSON completely (true by default). Affected products include: Metabase.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2023-38646 CRITICAL POC
9.8 Jul 21

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman

CVE-2021-41277 HIGH POC
7.5 Nov 17

Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2022-43776 MEDIUM POC
6.5 Oct 26

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For

CVE-2026-50148 CRITICAL
10.0 Jul 15

Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release

CVE-2023-37470 CRITICAL
9.8 Aug 04

Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-32680 CRITICAL
9.6 May 18

Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely

CVE-2022-24853 MEDIUM POC
5.3 Apr 14

Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-59827 HIGH
8.8 Jul 09

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run

CVE-2022-39362 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-39361 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-24854 HIGH
8.8 Apr 14

Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera

CVE-2026-27464 HIGH
7.7 Feb 21

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi

Share

CVE-2022-39359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy