Vulnerability Scan Result
| Title: | Metabase |
| Description: | No description found |
| ip_address | 52.222.236.69 |
| country | US  |
| network_name | Amazon.com, Inc. |
| asn | AS16509 |
| ip_address | 52.222.236.109 |
| country | US |
| network_name | Amazon.com, Inc. |
| asn | AS16509 |
| ip_address | 52.222.236.64 |
| country | US |
| network_name | Amazon.com, Inc. |
| asn | AS16509 |
| ip_address | 52.222.236.30 |
| country | US |
| network_name | Amazon.com, Inc. |
| asn | AS16509 |
80/tcp | http | Amazon CloudFront httpd - |
443/tcp | https | - - |
| Software / Version | Category |
|---|---|
| Amazon Web Services | PaaS |
| AWS Certificate Manager | SSL/TLS certificate authorities |
| Amazon CloudFront | CDN |
| Emotion | JavaScript frameworks, Development |
| core-js 2.6.5 | JavaScript libraries |
| Java | Programming languages |
| Leaflet 1.7.1 | Maps |
| Livefyre 1.7.1 | Comment systems |
| PWA | Miscellaneous |
| Webpack | Miscellaneous |
| Jetty 12.0.22 | Web servers |
| Metabase | Performance |
| HSTS | Security |
Web Application Vulnerabilities
Evidence
| CVE | CVSS | EPSS Score | EPSS Percentile | Summary |
|---|---|---|---|---|
| CVE-2026-1605 | 7.5 | 0.00078 | 0.23093 | In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak. |
| CVE-2026-5795 | 7.4 | 0.00031 | 0.09084 | In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation. |
| CVE-2026-2332 | 7.4 | 0.00018 | 0.04613 | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. |
| CVE-2025-11143 | 3.7 | 0.00145 | 0.34479 | The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details. |
Vulnerability description
Outdated or vulnerable software components include versions of server-side software that are no longer supported or have known, publicly disclosed vulnerabilities. Using outdated software significantly increases the attack surface of a system and may allow unauthorized access, data leaks, or service disruptions. Vulnerabilities in these components are often well-documented and actively exploited by attackers. Without security patches or vendor support, any weaknesses remain unmitigated, exposing the application to risks. In some cases, even after patching, the reported version may remain unchanged, requiring manual verification.
Risk description
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to attack the system. Since the vulnerabilities were discovered using only version-based testing, the risk level for this finding will not exceed 'high' severity. Critical risks will be assigned to vulnerabilities identified through accurate active testing methods.
Recommendation
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest version.
Classification
| CWE | CWE-1035 |
| OWASP Top 10 - 2017 | |
| OWASP Top 10 - 2021 |
Evidence
| Software / Version | Category |
|---|---|
| Amazon Web Services | PaaS |
| AWS Certificate Manager | SSL/TLS certificate authorities |
| Amazon CloudFront | CDN |
| Emotion | JavaScript frameworks, Development |
| core-js 2.6.5 | JavaScript libraries |
| Java | Programming languages |
| Leaflet 1.7.1 | Maps |
| Livefyre 1.7.1 | Comment systems |
| PWA | Miscellaneous |
| Webpack | Miscellaneous |
| Jetty 12.0.22 | Web servers |
| Metabase | Performance |
| HSTS | Security |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Risk description
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| CWE | CWE-200 |
| OWASP Top 10 - 2017 | |
| OWASP Top 10 - 2021 |
Evidence
| URL | Evidence |
|---|---|
| https://metabase.browser.atakama.com/ | Response headers include the HTTP Content-Security-Policy security header with the following security issues: |
Vulnerability description
We noticed that the Content-Security-Policy (CSP) header configured for the web application includes unsafe directives. The CSP header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS) by restricting the sources from which content can be loaded or executed.
Risk description
For example, if the unsafe-inline directive is present in the CSP header, the execution of inline scripts and event handlers is allowed. This can be exploited by an attacker to execute arbitrary JavaScript code in the context of the vulnerable application.
Recommendation
Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly define the sources from which scripts, styles, images or other resources can be loaded.
Classification
| CWE | CWE-1021 |
| OWASP Top 10 - 2017 | |
| OWASP Top 10 - 2021 |
Evidence
| URL | Method | Parameters | Evidence |
|---|---|---|---|
| https://metabase.browser.atakama.com/ | GET | Headers: User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 | Error message jdbc driver found in: |
Vulnerability description
We noticed that the target application does not properly handle exceptional conditions, leading to error messages that reveal sensitive information.
Risk description
The risk is that an attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application.
Recommendation
It is recommended treating all exceptions of the application flow. Ensure that error messages only contain minimal details.
Classification
| CWE | CWE-209 |
| OWASP Top 10 - 2017 | |
| OWASP Top 10 - 2021 |
Evidence
| URL | Method | Parameters | Evidence |
|---|---|---|---|
| https://metabase.browser.atakama.com/ | GET | Headers: User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 | Operating system paths found in the HTTP response: |
Vulnerability description
We found operating system paths returned in a HTTP response.
Risk description
The risk is that path disclosure may help an attacker learn more about the remote server's file system, thus increasing the effectiveness and precision of any future attacks.
Recommendation
Configure the web server to avoid leaking path information by using generic error messages that do not reveal any internal file paths. Make sure no server file is referred with its absolute path in the website code.
Classification
| CWE | CWE-200 |
| OWASP Top 10 - 2017 | |
| OWASP Top 10 - 2021 |
Infrastructure Vulnerabilities
Evidence
| CVE | CVSS | EPSS Score | EPSS Percentile | CISA KEV | Summary |
|---|---|---|---|---|---|
| CVE-2026-1605 | 7.5 | 0.00078 | 0.23093 | No | In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak. |
| CVE-2026-5795 | 7.4 | 0.00031 | 0.09084 | No | In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation. |
| CVE-2026-2332 | 7.4 | 0.00018 | 0.04613 | No | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. |
| CVE-2025-11143 | 3.7 | 0.00145 | 0.34479 | No | The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details. |
Vulnerability description
Vulnerabilities found for Jetty 12.0.22
Risk description
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of service attacks. An attacker could search for an appropriate exploit (or create one) for any of these vulnerabilities and use it to attack the system. Notes: - The vulnerabilities are identified based on the server's version.; - Only the first 5 vulnerabilities with the highest risk are shown for each port.; Since the vulnerabilities were discovered using only version-based testing, the risk level for this finding will not exceed "high" severity. Critical risks will be assigned to vulnerabilities identified through accurate active testing methods.
Recommendation
We recommend you to upgrade the affected software to the latest version in order to eliminate the risks imposed by these vulnerabilities.
Evidence
| Software / Version | Category |
|---|---|
| Java | Programming languages |
| Amazon Web Services | PaaS |
| Jetty 12.0.22 | Web servers |
| HSTS | Security |
| AWS Certificate Manager | SSL/TLS certificate authorities |
| Amazon CloudFront | CDN |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Risk description
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| metabase.browser.atakama.com | A | IPv4 address | 52.222.236.64 |
| metabase.browser.atakama.com | A | IPv4 address | 52.222.236.109 |
| metabase.browser.atakama.com | A | IPv4 address | 52.222.236.69 |
| metabase.browser.atakama.com | A | IPv4 address | 52.222.236.30 |
Risk description
An initial step for an attacker aiming to learn about an organization involves conducting searches on its domain names to uncover DNS records associated with the organization. This strategy aims to amass comprehensive insights into the target domain, enabling the attacker to outline the organization's external digital landscape. This gathered intelligence may subsequently serve as a foundation for launching attacks, including those based on social engineering techniques. DNS records pointing to services or servers that are no longer in use can provide an attacker with an easy entry point into the network.
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.
Evidence
| Operating System | Accuracy |
|---|---|
| Crestron XPanel control system | 87% |
Vulnerability description
OS Detection
Evidence
| Software / Version | Category |
|---|---|
| Amazon Web Services | PaaS |
| Amazon CloudFront | CDN |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Risk description
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.