Description
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e
Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4
Scores
CVSS v3
6.5
EPSS
0.0022
EPSS Percentile
44.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
CWE-200
Status
published
Products (1)
metabase/metabase
0.41.0 - 0.41.9
Published
Oct 26, 2022
Tracked Since
Feb 18, 2026