Input validation error in Metabase - CVE-2022-24853

 

Input validation error in Metabase - CVE-2022-24853

Published: April 14, 2022 / Updated: April 25, 2026


Vulnerability identifier: #VU127934
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24853
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Metabase
Affected software:
Metabase

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper validation in the GeoJSON URL loading proxy when handling a specially crafted request. A remote attacker can send a specially crafted request to disclose sensitive information.

On Windows systems, exploitation can trigger file access that enables an NTLM relay attack and may expose the password hash.


How to mitigate CVE-2022-24853

Install security update from vendor's website.

Sources