CVE-2022-39358
26.10.2022, 19:15
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.Enginsight
| Vendor | Product | Version |
|---|---|---|
| metabase | metabase | 0.42.0 ≤ 𝑥 < 0.42.6 |
| metabase | metabase | 0.43.0 ≤ 𝑥 < 0.43.7 |
| metabase | metabase | 0.44.0 ≤ 𝑥 < 0.44.5 |
| metabase | metabase | 1.42.0 ≤ 𝑥 < 1.42.6 |
| metabase | metabase | 1.43.0 ≤ 𝑥 < 1.43.7 |
| metabase | metabase | 1.44.0 ≤ 𝑥 < 1.44.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-667 - Improper LockingThe software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.