====== Security Patch for Lime BI - Information Disclosure Vulnerability ======
===== Overview =====
A security vulnerability has been identified in Metabase (the underlying platform for Lime BI) that could potentially allow authenticated users to extract sensitive information, including database credentials, under certain circumstances.
**Severity:** Medium
**Status:** Patch available
**Evidence of exploitation:** None observed
**Environment**: On-premise
===== Vulnerability Details =====
==== What is affected? ====
  * All Lime BI installations (all versions)
  * The hotfix is compatible with Metabase version 1.49 or later
  * Older versions (1.48 or earlier) require an upgrade before the hotfix can be applied
==== What is the risk? ====
Under specific circumstances, an authenticated Lime BI user may be able to extract sensitive information such as database credentials through this vulnerability.
<WRAP info 70%>
Even if credentials were obtained, they would not provide database access unless the database is publicly exposed on the internet, which is not a standard configuration.
</WRAP>
==== Who discovered this? ====
This vulnerability was proactively disclosed to us by Metabase. There is no evidence that this vulnerability has ever been exploited in the wild.
===== Solution =====
We have developed a hotfix that mitigates this vulnerability by updating the nginx proxy configuration to block specific HTTP requests that could exploit this vulnerability.
==== Check Your Metabase Version ====
Before applying the patch, verify which version of Metabase you are running:
  - Log in to your Lime CRM Server instance
  - Click on the **gear icon** (⚙️) in the top right corner
  - Select **Admin settings**
  - Go to **Troubleshooting** in the left menu
  - Look for the **Version** information at the top of the page
The version number will be displayed in the format ''v1.xx.x'' (for example, ''v1.49.0'').
==== Prerequisites ====
  * Lime BI running **Metabase version 1.49 or later**
==== Installation Instructions ====
  - **Download the patch** ZIP file from [[https://builds.lundalogik.com/api/v1/builds/lime-bi-patch-2601/versions/latest/file|here]]
  - **Extract the ZIP file** to a location on your Lime CRM server
  - **Right-click** on ''apply-patch.bat'' and select **"Run as Administrator"**
  - The script will automatically:
    * Create a backup of your existing nginx.conf
    * Apply the patch configuration
    * Restart the Lime CRM Webfront service (nginx)
  - **Verify** the output says "Lime CRM Webfront service restarted successfully!" or check that the service is running in Windows Services
<WRAP tip>
A backup of your nginx.conf configuration is automatically created in the same directory as your nginx.conf file before any changes are made.
</WRAP>
==== For Older Versions (Pre-1.49) ====
<WRAP important>
**Metabase versions older than 1.49 are no longer supported.** If your Lime BI installation is running Metabase version **1.48 or earlier**, you must upgrade before applying this hotfix.
</WRAP>
Please contact our Support to schedule an upgrade of your Lime BI setup:
  * https://customer.lime-technologies.com/
===== Recommendations =====
  - **Check your Metabase version** using the instructions above
  - **Apply the hotfix as soon as possible** if you're running Metabase 1.49 or later
  - **Schedule an upgrade** if you're running version 1.48 or earlier
  - **Verify your database is not publicly exposed** to the internet (follow security best practices)
  - **Contact Support** if you need assistance