In a recent Pen test we were alerted to some Jetty defects that are exposed in our version of Meta.
We Started looking to transition from Metabase 0.37.0.1 to 0.40.5 to resolve the issue but it appears that the same outdated version of Jetty (9.4.32 ) is in use in both versions of Metabase.
Request: Upgrade Eclipse Jetty on the Metabase to at least version 9.4.40.v20210413
immediately to mitigate these vulnerabilities.
Metabase is running a version of Eclipse Jetty (9.4.32.v20200930) that has known vulnerabilities, including the following:
CVE-2021-28165 7.5 (High) An attacker can send an invalid TLS frame and cause the CPU to reach 100% capacity.
CVE-2021-28165 Detail - https://nvd.nist.gov/vuln/detail/CVE-2021-28165
CVE-2020-27223 5.3 (Moderate) An attacker can cause a denial-of-service state by sending a specially crafted request to the Jetty server.
CVE-2020-27223 Detail - https://nvd.nist.gov/vuln/detail/CVE-2020-27223
CVE-2020-27218 4.8 (Moderate) Could be used to inject data into the body of requests.
CVE-2020-27218 Detail - https://nvd.nist.gov/vuln/detail/CVE-2020-27218