Metabase - v0.42.6
Security fixes
* Possible to circumvent Locked parameter in Signed Embedding (https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3)
* SSO users able to circumvent IdP login by doing password reset (https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc)
* GeoJSON validation doesn't prevent redirects to blocked URLs (https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4)
* Arbitrary SQL execution from queryhash (https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238)
* Remote Code Execution via H2 (https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v)
Upgrading
You can download a .jar of the release, or get the latest on Docker. Make sure to back up your Metabase
database before you upgrade! Need help? Check out our
upgrading instructions.
Docker image: metabase/metabase:v0.42.6
Download the JAR here: https://downloads.metabase.com/v0.42.6/metabase.jar
Notes
SHA-256 checksum for the 0.42.6 JAR:
7b412a54ce8f4813ff613e15e6c9f2c4608ddc40b327d2a0cc9db9de3d75f59a
Security
Security wording was detected, but no CVEs were found.
Details
- 🔍View and search all Metabase releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!