GitHub_MCVELIST:CVE-2022-39358CVE-2022-39358 Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
28.4%
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.
CNA Affected
[
{
"vendor": "metabase",
"product": "metabase",
"versions": [
{
"version": "< 0.42.6",
"status": "affected"
},
{
"version": ">= 0.43.0, < 0.43.7",
"status": "affected"
},
{
"version": ">= 0.44.0, < 0.44.5",
"status": "affected"
},
{
"version": ">= 1.0.0, < 1.42.6",
"status": "affected"
},
{
"version": ">= 1.43.0, < 1.43.7",
"status": "affected"
},
{
"version": ">= 1.44.0, < 1.44.5",
"status": "affected"
}
]
}
]Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
28.4%