Input validation error in Metabase - CVE-2022-24853
Published: April 14, 2022 / Updated: April 25, 2026
Vulnerability identifier: #VU127934
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24853
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Metabase
Metabase
Software vendor:
Metabase
Metabase
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper validation in the GeoJSON URL loading proxy when handling a specially crafted request. A remote attacker can send a specially crafted request to disclose sensitive information.
On Windows systems, exploitation can trigger file access that enables an NTLM relay attack and may expose the password hash.
Remediation
Install security update from vendor's website.