8.8

CVE-2022-39362

Metabase vulnerable to arbitrary SQL execution from queryhash

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MetabaseMetabase Version >= 0.41.0 < 0.41.9
MetabaseMetabase Version >= 0.42.0 < 0.42.6
MetabaseMetabase Version >= 0.43.0 < 0.43.7
MetabaseMetabase Version >= 0.44.0 < 0.44.5
MetabaseMetabase Version >= 1.41.0 < 1.41.9
MetabaseMetabase Version >= 1.42.0 < 1.42.6
MetabaseMetabase Version >= 1.43.0 < 1.43.7
MetabaseMetabase Version >= 1.44.0 < 1.44.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.514
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-356 Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c
Patch
Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238
Third Party Advisory