Metabase 0.41.x < 0.41.9 / 0.42.x < 0.42.6 / 0.43.x < 0.43.7 / 0.44.x < 0.44.5 / 1.41.x < 1.41.9 / 1.42.x < 1.42.6 / 1.43.x < 1.43.7 / 1.44.x < 1.44.5

#%NASL_MIN_LEVEL 80900
##
# Tenable, Inc.
## 
include('compat.inc');

if (description)
{
  script_id(261766);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/09");

  script_name(english:"Metabase 0.41.x < 0.41.9 / 0.42.x < 0.42.6 / 0.43.x < 0.43.7 / 0.44.x < 0.44.5 / 1.41.x < 1.41.9 / 1.42.x < 1.42.6 / 1.43.x < 1.43.7 / 1.44.x < 1.44.5");
  script_cve_id("CVE-2022-39361", "CVE-2022-39362");
  script_cwe_id("CWE-20", "CWE-356", "CWE-441"); 

  script_set_attribute(attribute:"synopsis", value:
  "The remote host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
  "The version of Metabase installed on the remote host is affected by multiple vulnerabilities: 
  
  - a H2 (Sample Database) Remote Code Execution (RCE), which can be abused by users able to write SQL queries 
    on the H2 databases. Metabase fixed this issue to no longer allow DDL statements in H2 native queries.

  - Unsaved SQL queries are auto-executed, which could pose a possible attack vector. Metabase no
    longer automatically executes ad-hoc native queries.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.");
  # https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b6fd8b92");
  # https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?976ba82a");
  # https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?480df798");
  script_set_attribute(attribute:"solution", value:
  "Upgrade to Metabase version 0.41.9, 0.42.6, 0.43.7, 0.44.5, 1.41.9, 1.42.6, 1.43.7, 1.44.5, or later.");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:metabase:metabase");

  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39361");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_dependencies("metabase_detect.nbin");
  script_require_keys("installed_sw/Metabase");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Metabase');

var constraints = [
    { 'min_version':'0.41', 'fixed_version':'0.41.9' },
    { 'min_version':'0.42', 'fixed_version':'0.42.6' },
    { 'min_version':'0.43', 'fixed_version':'0.43.7' },
    { 'min_version':'0.44', 'fixed_version':'0.44.5' },
    { 'min_version':'1.41', 'fixed_version':'1.41.9' },
    { 'min_version':'1.42', 'fixed_version':'1.42.6' },
    { 'min_version':'1.43', 'fixed_version':'1.43.7' },
    { 'min_version':'1.44', 'fixed_version':'1.44.5' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);