Metabase@1.42.0 Security Vulnerabilities and Issues — Metabase@1.42.0 CVE List

Lucene search

MetabaseMetabase1.42.0

8 matches found

CVE•added 2022/04/14 10:15 p.m.•79 views

CVE-2022-24855

Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint /_internal that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to ac...

8.7CVSS5.7AI score0.00622EPSS

CVE•added 2022/04/14 10:15 p.m.•78 views

CVE-2022-24854

Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach th...

8.8CVSS8.5AI score0.00266EPSS

CVE•added 2022/04/14 10:15 p.m.•69 views

CVE-2022-24853

Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in...

5.9CVSS5.5AI score0.09286EPSS

CVE•added 2022/10/26 7:15 p.m.•67 views

CVE-2022-39358

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in ve...

6.5CVSS6.3AI score0.00089EPSS

CVE•added 2022/10/26 7:15 p.m.•65 views

CVE-2022-39360

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions ...

6.5CVSS6.4AI score0.00063EPSS

CVE•added 2022/10/26 7:15 p.m.•64 views

CVE-2022-39359

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.4...

6.5CVSS6.3AI score0.00087EPSS

CVE•added 2022/10/26 7:15 p.m.•62 views

CVE-2022-39361

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44...

8.8CVSS9AI score0.00651EPSS

CVE•added 2022/10/26 7:15 p.m.•61 views

CVE-2022-39362

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, ...

8.8CVSS8.7AI score0.00131EPSS