Metabase - v0.43.7

Security

Security fixes
* Possible to circumvent Locked parameter in Signed Embedding (https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3)
* SSO users able to circumvent IdP login by doing password reset (https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc)
* GeoJSON validation doesn't prevent redirects to blocked URLs (https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4)
* Arbitrary SQL execution from queryhash (https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238)
* Remote Code Execution via H2 (https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v)

Upgrading

You can download a .jar of the release, or get the latest on Docker. Make sure to back up your Metabase
database before you upgrade! Need help? Check out our
upgrading instructions.

Docker image: metabase/metabase:v0.43.7
Download the JAR here: https://downloads.metabase.com/v0.43.7/metabase.jar

Notes

SHA-256 checksum for the 0.43.7 JAR:

a3def1efefb328881d77deaf0980c626c1084b501c6551f62dfead9f763d0e55

Security

Security wording was detected, but no CVEs were found.

Details

date
Oct. 25, 2022, 10:39 a.m.
name
Metabase v0.43.7
type
Patch
👇
Register or login to:
  • 🔍View and search all Metabase releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or