Metabase - v0.42.6

Security

Security fixes
* Possible to circumvent Locked parameter in Signed Embedding (https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3)
* SSO users able to circumvent IdP login by doing password reset (https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc)
* GeoJSON validation doesn't prevent redirects to blocked URLs (https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4)
* Arbitrary SQL execution from queryhash (https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238)
* Remote Code Execution via H2 (https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v)

Upgrading

You can download a .jar of the release, or get the latest on Docker. Make sure to back up your Metabase
database before you upgrade! Need help? Check out our
upgrading instructions.

Docker image: metabase/metabase:v0.42.6
Download the JAR here: https://downloads.metabase.com/v0.42.6/metabase.jar

Notes

SHA-256 checksum for the 0.42.6 JAR:

7b412a54ce8f4813ff613e15e6c9f2c4608ddc40b327d2a0cc9db9de3d75f59a

Security

Security wording was detected, but no CVEs were found.

Details

date
Oct. 25, 2022, 10:38 a.m.
name
Metabase v0.42.6
type
Patch
official page
https://github.com/metabase/metabase/releases/tag/v0.42.6
👇
Register or login to:
  • 🔍View and search all Metabase releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or