Security Patch for Lime BI - Information Disclosure Vulnerability

Overview

A security vulnerability has been identified in Metabase (the underlying platform for Lime BI) that could potentially allow authenticated users to extract sensitive information, including database credentials, under certain circumstances. Severity: Medium Status: Patch available Evidence of exploitation: None observed Environment: On-premise

Vulnerability Details

What is affected?

All Lime BI installations (all versions)
The hotfix is compatible with Metabase version 1.49 or later
Older versions (1.48 or earlier) require an upgrade before the hotfix can be applied

What is the risk?

Under specific circumstances, an authenticated Lime BI user may be able to extract sensitive information such as database credentials through this vulnerability.

Even if credentials were obtained, they would not provide database access unless the database is publicly exposed on the internet, which is not a standard configuration.

Who discovered this?

This vulnerability was proactively disclosed to us by Metabase. There is no evidence that this vulnerability has ever been exploited in the wild.

Solution

We have developed a hotfix that mitigates this vulnerability by updating the nginx proxy configuration to block specific HTTP requests that could exploit this vulnerability.

Check Your Metabase Version

Before applying the patch, verify which version of Metabase you are running:

Log in to your Lime CRM Server instance
Click on the gear icon (⚙️) in the top right corner
Select Admin settings
Go to Troubleshooting in the left menu
Look for the Version information at the top of the page

The version number will be displayed in the format v1.xx.x (for example, v1.49.0).

Prerequisites

Lime BI running Metabase version 1.49 or later

Installation Instructions

Download the patch ZIP file from here
Extract the ZIP file to a location on your Lime CRM server
Right-click on apply-patch.bat and select “Run as Administrator”
The script will automatically:
- Create a backup of your existing nginx.conf
- Apply the patch configuration
- Restart the Lime CRM Webfront service (nginx)
Verify the output says “Lime CRM Webfront service restarted successfully!” or check that the service is running in Windows Services

A backup of your nginx.conf configuration is automatically created in the same directory as your nginx.conf file before any changes are made.

For Older Versions (Pre-1.49)

Metabase versions older than 1.49 are no longer supported. If your Lime BI installation is running Metabase version 1.48 or earlier, you must upgrade before applying this hotfix.

Please contact our Support to schedule an upgrade of your Lime BI setup:

https://customer.lime-technologies.com/

Recommendations

Check your Metabase version using the instructions above
Apply the hotfix as soon as possible if you're running Metabase 1.49 or later
Schedule an upgrade if you're running version 1.48 or earlier
Verify your database is not publicly exposed to the internet (follow security best practices)
Contact Support if you need assistance

Table of Contents