2024-11-18
Metabase, an open-source data analytics platform, has a critical vulnerability (CVSS 10.0) in versions prior to 0.40.5 and 1.40.5. This issue allows attackers to potentially exploit local file inclusion (LFI) by crafting malicious URLs in custom GeoJSON maps. This could lead to sensitive information disclosure and potential remote code execution.
Form:
Platform: Metabase
Version: < 0.40.5 and < 1.40.5
Vulnerability: Local File Inclusion (LFI)
Severity: CRITICAL
Date: 2023-11-28
What Undercode Says:
Metabase, a popular open-source data analytics platform, has been found to be vulnerable to a critical security flaw. This vulnerability, tracked as CVE-2023-46193, could allow attackers to potentially compromise systems running vulnerable versions of Metabase.
The issue stems from a lack of proper input validation in the custom GeoJSON map feature. By crafting malicious URLs, attackers could potentially exploit this vulnerability to access sensitive files on the system or even execute arbitrary code.
To mitigate this risk, it is strongly recommended to update Metabase to the latest version (0.40.5 or 1.40.5 or later). If immediate upgrading is not feasible, implementing additional security measures such as input validation and output encoding can help reduce the attack surface.
It is crucial to stay updated with the latest security advisories and patches to ensure the security of your Metabase deployments.
References:
Reported By: Cve.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help