Ronan Donohue

**Name of the Vulnerable Software and Affected Versions** Metabase versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 **Description** The issue concerns Metabase, a data visualization software. In affected versions, a custom GeoJSON map URL address would follow redirects to otherwise disallowed addresses, such as link-local or private-network addresses. This has been patched, and Metabase no longer follows redirects on GeoJSON map URLs. An environment variable `MB CUSTOM GEOJSON ENABLED` was added to disable custom GeoJSON completely, with `true` as the default setting. **Recommendations** For versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, update to version 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9 to resolve the issue. As a temporary workaround, consider setting the environment variable `MB CUSTOM GEOJSON ENABLED` to `false` to disable custom GeoJSON completely until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Metabase versions prior to 44.5 **Description** The issue concerns the `url` parameter of the "/api/geojson" endpoint, which can be exploited to perform Server Side Request Forgery attacks. It is noted that previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects. **Recommendations** For versions prior to 44.5, update to version 44.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/geojson" endpoint until the update is applied. Avoid using the `url` parameter in the affected endpoint until the issue is resolved.