• Published Date: Wed 26 Oct 2022
  • Last Modified Date: Wed 26 Oct 2022

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.

References (Advisories, Solutions, and Tools):

Note: This page is generated by our securitybot and has not been checked for errors. Feed Source: NVD