CVE-2022-24853
Published: 14 April 2022
Summary
CVE-2022-24853 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Metabase Metabase. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Metabase, an open source business intelligence application, contains a flaw in its GeoJSON map support that proxies arbitrary URLs for JSON content. Although validation is intended to block direct retrieval of arbitrary URLs, a specially crafted request can bypass these checks on Windows systems and grant local file access. This behavior enables an NTLM relay attack that can expose the system password hash. The vulnerability is tracked as CVE-2022-24853 and affects Metabase versions prior to the listed patches.
An unauthenticated remote attacker can exploit the issue over the network by submitting a malicious request that triggers the file-access path. Successful exploitation allows the attacker to relay NTLM authentication material and potentially obtain credential hashes, leading to further compromise of the Windows host. The CVSS 3.1 score of 5.9 reflects the high complexity and the confidentiality impact without requiring user interaction or privileges.
Official advisories recommend immediate upgrade for any Windows deployment. Patches are available in Metabase 0.42.4 / 1.42.4, 0.41.7 / 1.41.7, and 0.40.8 / 1.40.8; the GitHub Security Advisory GHSA-5cfq-582c-c38m provides the corresponding release information. The EPSS score has remained flat at 0.0973 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29633
Vulnerability details
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is…
more
a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.