Metabase - v1.42.6
Security fixes
* Possible to circumvent Locked parameter in Signed Embedding (https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3)
* SSO users able to circumvent IdP login by doing password reset (https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc)
* GeoJSON validation doesn't prevent redirects to blocked URLs (https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4)
* Arbitrary SQL execution from queryhash (https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238)
* Remote Code Execution via H2 (https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v)
Upgrading
You can download a .jar of the release, or get the latest on Docker. Make sure to back up your Metabase
database before you upgrade! Need help? Check out our
upgrading instructions.
Docker image: metabase/metabase-enterprise:v1.42.6
Download the JAR here: https://downloads.metabase.com/enterprise/v1.42.6/metabase.jar
Notes
SHA-256 checksum for the 1.42.6 JAR:
87baccc858f9b4227782d7251df94a054c546e12e156cc630f7b97337e024578
Security
Security wording was detected, but no CVEs were found.
Details
- 🔍View and search all Metabase releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!