CVE-2022-39359

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9

Description The issue concerns Metabase, a data visualization software. In affected versions, a custom GeoJSON map URL address would follow redirects to otherwise disallowed addresses, such as link-local or private-network addresses. This has been patched, and Metabase no longer follows redirects on GeoJSON map URLs. An environment variable MB CUSTOM GEOJSON ENABLED was added to disable custom GeoJSON completely, with true as the default setting.

Recommendations For versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, update to version 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9 to resolve the issue. As a temporary workaround, consider setting the environment variable MB CUSTOM GEOJSON ENABLED to false to disable custom GeoJSON completely until a patch is applied.