Lucene search

[email protected]NVD:CVE-2022-39358

HistoryOct 26, 2022 - 7:15 p.m.

CVE-2022-39358

2022-10-2619:15:10

CWE-200

CWE-667

[email protected]

web.nvd.nist.gov

metabase

data visualization

security bypass

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.

Affected configurations

NVD

Node

metabasemetabaseRange0.42.0–0.42.6

metabasemetabaseRange0.43.0–0.43.7

metabasemetabaseRange0.44.0–0.44.5

metabasemetabaseRange1.42.0–1.42.6

metabasemetabaseRange1.43.0–1.43.7

metabasemetabaseRange1.44.0–1.44.5

References

github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Related for NVD:CVE-2022-39358

cve1 prion1 osv1 cvelist1