CVE-2022-39359 is a medium-severity vulnerability affecting multiple versions of Metabase, an open-source data visualization and business intelligence platform. The issue arises from the way Metabase handles custom GeoJSON map URLs. Prior to patched versions (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9), Metabase would follow HTTP redirects from user-supplied custom GeoJSON URLs to other addresses, including those within link-local or private network ranges. This behavior could lead to unauthorized exposure of sensitive internal network resources or data. For example, an attacker could craft a GeoJSON URL that redirects to an internal IP address or a resource not normally accessible externally, causing Metabase to fetch and potentially expose sensitive information from these internal endpoints. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The patch involves disabling following redirects on GeoJSON URLs and introducing an environment variable (MB_CUSTOM_GEOJSON_ENABLED) that allows administrators to disable custom GeoJSON functionality entirely if desired. This mitigates the risk by preventing Metabase from accessing unintended internal resources via redirects. No known exploits have been reported in the wild, but the vulnerability poses a risk especially in environments where Metabase is exposed to untrusted users or integrates with sensitive internal networks. The affected versions span a wide range, including all versions prior to 0.41.9 and multiple incremental releases up to but not including the patched versions listed. This indicates that many deployments could be vulnerable if not updated.

For European organizations, the impact of this vulnerability can be significant depending on their deployment architecture. Organizations using Metabase to visualize internal data may inadvertently expose sensitive internal network resources if custom GeoJSON URLs are enabled and untrusted users can supply or influence these URLs. This could lead to leakage of confidential information such as internal IP addresses, network topology details, or sensitive data accessible via internal services. The exposure could facilitate further reconnaissance or lateral movement by attackers. Sectors with strict data privacy requirements, such as finance, healthcare, and government, are particularly at risk due to potential compliance violations (e.g., GDPR) if sensitive information is leaked. Additionally, organizations with hybrid cloud or segmented network environments may unintentionally bridge internal and external networks through this vulnerability. Although no active exploits are known, the ease of exploitation via crafted URLs and the broad range of affected versions increase the risk profile. The vulnerability does not directly allow remote code execution or system compromise but can be a stepping stone for more advanced attacks. Hence, the confidentiality impact is moderate, while integrity and availability impacts are low. Overall, the vulnerability could undermine trust in data visualization platforms and expose sensitive internal infrastructure details.

European organizations should take the following practical steps beyond generic patching advice: 1) Immediately upgrade Metabase installations to the patched versions (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9) to ensure the redirect-following flaw is fixed. 2) If upgrading is not immediately feasible, disable the custom GeoJSON feature by setting the environment variable MB_CUSTOM_GEOJSON_ENABLED to false, preventing any custom GeoJSON URLs from being processed. 3) Restrict access to Metabase instances to trusted internal users only, minimizing exposure to untrusted or external actors who could exploit the vulnerability. 4) Implement network segmentation and firewall rules to limit Metabase server outbound HTTP requests, especially to private or link-local IP ranges, thereby reducing the risk of unauthorized internal resource access. 5) Monitor logs for unusual GeoJSON URL requests or unexpected redirect patterns that could indicate exploitation attempts. 6) Conduct internal audits of Metabase configurations and usage to identify any custom GeoJSON maps in use and evaluate their necessity and security. 7) Educate administrators and users about the risks of supplying external URLs in visualization tools and enforce strict input validation where possible. These targeted mitigations help reduce the attack surface and prevent sensitive data exposure while maintaining operational continuity.