Cyber Resilience

CVE-2022-24853

MediumPublic PoC

Published: 14 April 2022

Published
14 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0973 93.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24853 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Metabase Metabase. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Metabase, an open source business intelligence application, contains a flaw in its GeoJSON map support that proxies arbitrary URLs for JSON content. Although validation is intended to block direct retrieval of arbitrary URLs, a specially crafted request can bypass these checks on Windows systems and grant local file access. This behavior enables an NTLM relay attack that can expose the system password hash. The vulnerability is tracked as CVE-2022-24853 and affects Metabase versions prior to the listed patches.

An unauthenticated remote attacker can exploit the issue over the network by submitting a malicious request that triggers the file-access path. Successful exploitation allows the attacker to relay NTLM authentication material and potentially obtain credential hashes, leading to further compromise of the Windows host. The CVSS 3.1 score of 5.9 reflects the high complexity and the confidentiality impact without requiring user interaction or privileges.

Official advisories recommend immediate upgrade for any Windows deployment. Patches are available in Metabase 0.42.4 / 1.42.4, 0.41.7 / 1.41.7, and 0.40.8 / 1.40.8; the GitHub Security Advisory GHSA-5cfq-582c-c38m provides the corresponding release information. The EPSS score has remained flat at 0.0973 with no material increase after disclosure.

EU & UK References

Vulnerability details

Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is…

more

a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

metabase
metabase
0.40.0 — 0.40.8 · 0.41.0 — 0.41.7 · 0.42.0 — 0.42.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

addresses: CWE-200

By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.

addresses: CWE-200

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200

Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.

addresses: CWE-200

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200

Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.

References