A vulnerability in the Spring Framework is actively being exploited in the wild. Does Metabase use Spring? Here's the summary:
"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
More information here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Please read the security policy: https://github.com/metabase/metabase/security/policy
The vulnerability is in Spring (Core), which is a Java framework. Metabase is written in Clojure.
Metabase uses Jetty Server as the internal webserver. We are monitoring the project's security advisories https://github.com/eclipse/jetty.project/security/advisories and know they've created a PR https://github.com/eclipse/jetty.project/pull/7813, but it is currently unknown if Jetty Server is even impacted or just preemptive measures in Jetty Spring.
Nothing currently indicates Metabase is vulnerable: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability
And we have not been able to trigger the vulnerable RCE with any of the available PoCs on the latest Metabase release.
If Metabase is vulnerable, then we will make security releases and create advisories.