Lucene search

[email protected]NVD:CVE-2022-39361

HistoryOct 26, 2022 - 7:15 p.m.

CVE-2022-39361

2022-10-2619:15:14

CWE-20

CWE-441

[email protected]

web.nvd.nist.gov

metabase

remote code execution

h2 database

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.1%

JSON

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.

Affected configurations

Nvd

Node

metabasemetabaseRange0.41.0–0.41.9

metabasemetabaseRange0.42.0–0.42.6

metabasemetabaseRange0.43.0–0.43.7

metabasemetabaseRange0.44.0–0.44.5

metabasemetabaseRange1.41.0–1.41.9

metabasemetabaseRange1.42.0–1.42.6

metabasemetabaseRange1.43.0–1.43.7

metabasemetabaseRange1.44.0–1.44.5

VendorProductVersionCPE
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::

References

github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.1%

JSON

Related for NVD:CVE-2022-39361

osv1 cve1 prion1 cvelist1