Possible to circumvent Locked parameter in Signed Embedding
Package
Metabase OSS and Enterprise
(Metabase)
Affected versions
<x.44.5,<x.43.7,<x.42.6
Patched versions
0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6
Impact
It was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend.
Patches
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.