CVE-2022-24853 – File system exposure in Metabase
https://notcve.org/view.php?id=CVE-2022-24853
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8. • https://github.com/secure-77/CVE-2022-24853 https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m https://secure77.de/metabase-ntlm-relay-attack https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-24854 – Database bypassing any permissions in Metabase via SQlite attach
https://notcve.org/view.php?id=CVE-2022-24854
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. • https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329 https://www.sqlite.org/lang_attach.html • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2022-24855 – XSS vulnerability in Metabase
https://notcve.org/view.php?id=CVE-2022-24855
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8. Metabase es una aplicación de análisis e inteligencia empresarial de código abierto. • https://github.com/metabase/metabase/releases/tag/v0.42.4 https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41277 – Metabase GeoJSON API Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2021-41277
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. • https://github.com/tahtaciburak/CVE-2021-41277 https://github.com/zer0yu/CVE-2021-41277 https://github.com/Seals6/CVE-2021-41277 https://github.com/z3n70/CVE-2021-41277 https://github.com/kap1ush0n/CVE-2021-41277 https://github.com/TheLastVvV/CVE-2021-41277 https://github.com/chengling-ing/CVE-2021-41277 https://github.com/kaizensecurity/CVE-2021-41277 https://github.com/RubXkuB/PoC-Metabase-CVE-2021-41277 https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •