CVE-2022-43776

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 44.5

Description The issue concerns the url parameter of the "/api/geojson" endpoint, which can be exploited to perform Server Side Request Forgery attacks. It is noted that previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.

Recommendations For versions prior to 44.5, update to version 44.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/geojson" endpoint until the update is applied. Avoid using the url parameter in the affected endpoint until the issue is resolved.