Server Side Request Forgery (SSRF) Vulnerability in Metabase <44.5 via /api/geojson Endpoint

CVE-2022-43776 · MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-43776

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.

Learn more about our Cis Benchmark Audit For Server Software.