CVE-2022-24854 Database bypassing any permissions in Metabase via SQlite attach

🗓️ 14 Apr 2022 21:40:11Reported by GitHub_MType

Database bypassing permissions in Metabase via SQLite `ATTACH DATABASE` feature CVE-2022-2485

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2022-24854	15 Apr 202202:19	–	circl
CNNVD	Metabase 安全漏洞	14 Apr 202200:00	–	cnnvd
CVE	CVE-2022-24854	14 Apr 202221:40	–	cve
EUVD	EUVD-2022-29634	3 Oct 202520:07	–	euvd
Tenable Nessus	Metabase 0.41.x < 0.41.7 / 0.42.x < 0.42.4 / 1.41.x < 1.41.7 / 1.42.x < 1.42.4	9 Sep 202500:00	–	nessus
NVD	CVE-2022-24854	14 Apr 202222:15	–	nvd
OSV	CVE-2022-24854 Database bypassing any permissions in Metabase via SQlite attach	14 Apr 202221:40	–	osv
Prion	Design/Logic Flaw	14 Apr 202222:15	–	prion
RedhatCVE	CVE-2022-24854	5 Feb 202521:53	–	redhatcve
SQLite	SQLite report about CVE-2022-24854	1 Jan 202200:00	–	sqlite

[
  {
    "product": "metabase",
    "vendor": "metabase",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.41.0, < 1.41.7"
      },
      {
        "status": "affected",
        "version": ">= 0.41.0, < 0.41.7"
      },
      {
        "status": "affected",
        "version": ">= 1.42.0, < 1.42.4"
      },
      {
        "status": "affected",
        "version": ">= 0.42.0, < 0.42.4"
      }
    ]
  }
]

Source	Link
sqlite	www.sqlite.org/lang_attach.html
github	www.github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329

14 Apr 2022 21:40Current

9.1High risk

Vulners AI Score9.1

CVSS 3.18

EPSS0.00982

CWE-610