Skip to content

XSS vulnerability in /_internal endpoint

Moderate
diogormendes published GHSA-wjw6-wm9w-7ggr Apr 14, 2022

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.42.3 <x.41.6, <x.40.7

Patched versions

0.42.4,1.42.4,0.41.7,1.41.7,0.40.8,1.40.8

Description

Impact

Metabase ships with an internal development endpoint /_internal that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover.

Mitigation

Either upgrade immediately, or block access in your firewall to /_internal endpoints for Metabase. We have patched versions of Metabase that remove /_internal from production builds.

Patches

The following patches (or greater versions) are available:

  • 0.42.4 and 1.42.4
  • 0.41.7 and 1.41.7
  • 0.40.8 and 1.40.8

Please upgrade immediately if mitigation cannot applied.
All releases are available on https://github.com/metabase/metabase/releases

Credits

Reported by https://github.com/bananabr via security@ email

Severity

Moderate

CVE ID

CVE-2022-24855

Weaknesses

Credits