CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-32382 – Snowflake credentials logged by the Metabase backend
https://notcve.org/view.php?id=CVE-2025-32382
10 Apr 2025 — Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase fo... • https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30371 – Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint
https://notcve.org/view.php?id=CVE-2025-30371
28 Mar 2025 — Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet wit... • https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •