CVE-2022-39362

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
metabasemetabase
0.41.0 ≤
𝑥
< 0.41.9
metabasemetabase
0.42.0 ≤
𝑥
< 0.42.6
metabasemetabase
0.43.0 ≤
𝑥
< 0.43.7
metabasemetabase
0.44.0 ≤
𝑥
< 0.44.5
metabasemetabase
1.41.0 ≤
𝑥
< 1.41.9
metabasemetabase
1.42.0 ≤
𝑥
< 1.42.6
metabasemetabase
1.43.0 ≤
𝑥
< 1.43.7
metabasemetabase
1.44.0 ≤
𝑥
< 1.44.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238
https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238