The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
CPE | Name | Operator | Version |
---|---|---|---|
metabase | eq | 0.37.0-rc2 | |
metabase | eq | 0.43.0-rc1 | |
metabase | eq | 0.37.6 | |
metabase | eq | 0.19.3 | |
metabase | eq | 0.36.3 | |
metabase | eq | 1.42.0-rc2 | |
metabase | eq | 1.44.0-RC3 | |
metabase | eq | 1.44.1 | |
metabase | eq | 1.39.1 | |
metabase | eq | 0.28.0 |