We have running metabase version 0.34.3 and had no issues with our firewall, but since version 0.35 and 0.36, there is vendor.js file blocked by our firewall detected as CVE-2015-2094, is there any solution for this one?
I think is not a bug in the firewall, because the 0.34 version of Metabase is working fine with our firewall, i think there are some file changes in the vendor.js that trigger our firewal detection.
But as your suggestion for now maybe we going to exclude metabase traffic in our firewall.
@bambang We constantly change files in every release, but we cannot fix bug in firewall rules. And yes, it’s a bug, as it says it’s triggering on an ActiveX RCE - we don’t use ActiveX.
We have also seen problem in various other WAF, where their automatic detection was causing problems when people upgraded and then after a few days, then it was working normally - without changing Metabase version or touching their firewall.