Main Vulnerability Database SB2022041452

SB2022041452 - Input validation error in Metabase

Published: April 14, 2022 Updated: April 25, 2026

Security Bulletin ID SB2022041452

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2022-24853)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper validation in the GeoJSON URL loading proxy when handling a specially crafted request. A remote attacker can send a specially crafted request to disclose sensitive information.

On Windows systems, exploitation can trigger file access that enables an NTLM relay attack and may expose the password hash.

Remediation

Install update from vendor's website.

References

https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m
https://github.com/advisories/GHSA-5cfq-582c-c38m