GitHub_MCVELIST:CVE-2022-39362CVE-2022-39362 Metabase vulnerable to arbitrary SQL execution from queryhash
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.8%
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
CNA Affected
[
{
"vendor": "metabase",
"product": "metabase",
"versions": [
{
"version": "< 0.41.9",
"status": "affected"
},
{
"version": ">= 0.42.0, < 0.42.6",
"status": "affected"
},
{
"version": ">= 0.43.0, < 0.43.7",
"status": "affected"
},
{
"version": ">= 0.44.0, < 0.44.5",
"status": "affected"
},
{
"version": ">= 1.0.0, < 1.41.9",
"status": "affected"
},
{
"version": ">= 1.42.0, < 1.42.6",
"status": "affected"
},
{
"version": ">= 1.43.0, < 1.43.7",
"status": "affected"
},
{
"version": ">= 1.44.0, < 1.44.5",
"status": "affected"
}
]
}
]Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.8%