CVE-2022-39359 : Exploit Details and Defense Strategies

This article provides detailed information about CVE-2022-39359, a vulnerability in Metabase's GeoJSON validation that allowed redirects to blocked URLs.

Understanding CVE-2022-39359

Metabase is data visualization software that had a security issue prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, where custom GeoJSON map URL addresses could follow redirects to disallowed URLs.

What is CVE-2022-39359?

CVE-2022-39359 is a vulnerability in Metabase where custom GeoJSON map URLs could redirect to addresses that were supposed to be blocked, such as link-local or private-network URLs.

The Impact of CVE-2022-39359

This vulnerability could allow an attacker to redirect GeoJSON map URLs to malicious websites, potentially exposing sensitive information to unauthorized actors.

Technical Details of CVE-2022-39359

The vulnerability has been patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follows redirects on GeoJSON map URLs, and an environment variable

MB_CUSTOM_GEOJSON_ENABLED

has been added to disable custom GeoJSON entirely.

Vulnerability Description

The vulnerability allowed custom GeoJSON map URLs to redirect to disallowed addresses, which could lead to security risks.

Affected Systems and Versions

Versions prior to 0.41.9, 0.42.6, 0.43.7, 0.44.5, 1.41.9, 1.42.6, 1.43.7, and 1.44.5 of Metabase were affected by this vulnerability.

Exploitation Mechanism

Attackers could exploit this vulnerability by crafting malicious GeoJSON map URLs to redirect users to unauthorized locations.

Mitigation and Prevention

To mitigate CVE-2022-39359, users should update Metabase to patched versions and ensure that the

MB_CUSTOM_GEOJSON_ENABLED

variable is set to

true

to disable custom GeoJSON.

Immediate Steps to Take

Update Metabase to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9 and disable custom GeoJSON via the

MB_CUSTOM_GEOJSON_ENABLED

variable if not needed.

Long-Term Security Practices

Regularly monitor for security updates and apply patches promptly to prevent vulnerabilities like CVE-2022-39359.

Patching and Updates

Stay informed about security advisories from Metabase and apply relevant patches and updates as soon as they are released.