‧
2 min read
Security update available for Metabase - Please upgrade now
Sameer Al-Sakran
‧ 2 min read
Share this article
An independent security researcher submitted a severe issue with Metabase. We generally don’t blog about every bug, but this one is dangerous so we want to make sure that we reach out on all channels to our community to let them know that they should pay attention to this.
While we have no evidence that the vulnerability was ever exploited in the wild, and exploiting this vulnerability isn’t simple, if you are self-hosting Metabase, you should IMMEDIATELY update your Metabase instances (if you have not already).
The vulnerability
The vulnerability allows an authenticated user (including embedding users) to retrieve sensitive information from a Metabase instance, including database access credentials. For more info, check out the security advisory.
Are you affected?
Metabase Cloud customers don’t need to upgrade
No action needed. We’ve already upgraded your Metabase, and you’re no longer vulnerable.
All self-hosted Metabases, including customers, should upgrade immediately
IF you haven’t already, you should immediately upgrade to the latest point version of whichever Metabase version you’re running.
See the list of minimum safe releases below, and find the latest point version for the Metabase version you’re running. If you’re running a point version below that version, you’re still vulnerable and should upgrade immediately.
For example, if you are running 1.58.6, you should upgrade to 1.58.7 release or later. If you’re running a version of Metabase below version 55, you should upgrade to one of the versions listed below. You can find your current version by clicking on the “gear” icon in the upper right and selecting “About Metabase.”
If you’re running a custom fork of Metabase, reach out to us for the patches
Email us at help@metabase.com so we can provide you the appropriate patches.
Minimum safe releases for each Metabase version
The downloads below include the minimum safe release for each Metabase version.
55
v0.55.20
- Docker image: metabase/metabase:v0.55.20
- Download the JAR here: https://downloads.metabase.com/v0.55.20/metabase.jar
v1.55.20
- Docker image: metabase/metabase-enterprise:v1.55.20
- Download the JAR here: https://downloads.metabase.com/enterprise/v1.55.20/metabase.jar
56
v0.56.20
- Docker image: metabase/metabase:v0.56.20
- Download the JAR here: https://downloads.metabase.com/v0.56.20/metabase.jar
v1.56.20
- Docker image: metabase/metabase-enterprise:v1.56.20
- Download the JAR here: https://downloads.metabase.com/enterprise/v1.56.20/metabase.jar
57
v0.57.13
- Docker image: metabase/metabase:v0.57.13
- Download the JAR here: https://downloads.metabase.com/v0.57.13/metabase.jar
v1.57.13
- Docker image: metabase/metabase-enterprise:v1.57.13
- Download the JAR here: https://downloads.metabase.com/enterprise/v1.57.13/metabase.jar
58
v0.58.7
- Docker image: metabase/metabase/v0.58.7
- Download the JAR here: https://downloads.metabase.com/v0.58.7/metabase.jar
v1.58.7
- Docker image: metabase/metabase-enterprise/v1.58.7
- Download the JAR here: https://downloads.metabase.com/enterprise/v1.58.7/metabase.jar
