PT-2022-16929 · Metabase · Metabase
Bananabr
·
Published
2022-04-14
·
Updated
2022-04-22
·
CVE-2022-24855
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Metabase versions prior to 0.40.8 and 1.40.8
Metabase versions prior to 0.41.7 and 1.41.7
Metabase versions prior to 0.42.4 and 1.42.4
Description
Metabase is an open source business intelligence and analytics application. In affected versions, Metabase ships with an internal development endpoint
/ internal that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover.Recommendations
For Metabase versions prior to 0.40.8 and 1.40.8, upgrade to version 0.40.8 or 1.40.8 or block access in your firewall to
/ internal endpoints.
For Metabase versions prior to 0.41.7 and 1.41.7, upgrade to version 0.41.7 or 1.41.7 or block access in your firewall to / internal endpoints.
For Metabase versions prior to 0.42.4 and 1.42.4, upgrade to version 0.42.4 or 1.42.4 or block access in your firewall to / internal endpoints.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metabase