Server Side Request Forgery (SSRF) Vulnerability in Metabase <44.5 via /api/geojson Endpoint
CVE-2022-43776 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
Learn more about our Cis Benchmark Audit For Server Software.