Описание
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an NTLM relay attack, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
Ссылки
- Release NotesThird Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
- Release NotesThird Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.40.0 (включая) до 0.40.8 (исключая)Версия от 0.41.0 (включая) до 0.41.7 (исключая)Версия от 0.42.0 (включая) до 0.42.4 (исключая)Версия от 1.40.0 (включая) до 1.40.8 (исключая)Версия от 1.41.0 (включая) до 1.41.7 (исключая)Версия от 1.42.0 (включая) до 1.42.4 (исключая)
Одно из
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
EPSS
Процентиль: 93%
0.09729
Низкий
5.9 Medium
CVSS3
5.3 Medium
CVSS3
2.6 Low
CVSS2
Дефекты
CWE-200
CWE-200
EPSS
Процентиль: 93%
0.09729
Низкий
5.9 Medium
CVSS3
5.3 Medium
CVSS3
2.6 Low
CVSS2
Дефекты
CWE-200
CWE-200