CVE-2022-39362

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c	Patch Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::

History

28 Oct 2022, 16:45

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
References	~~(MISC) https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c -~~	(MISC) https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c - Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238 -~~	(CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:metabase:metabase::::::::

26 Oct 2022, 19:38

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-26 19:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-39362

Mitre link : CVE-2022-39362

CVE.ORG link : CVE-2022-39362

JSON object : View

Products Affected

metabase

metabase

CWE

NVD-CWE-Other CWE-356

Product UI does not Warn User of Unsafe Actions

{"id": "CVE-2022-39362", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-10-26T19:15:15.800", "references": [{"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-356"}]}], "descriptions": [{"lang": "en", "value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want."}, {"lang": "es", "value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, eran auto ejecutadas las consultas SQL no guardadas, lo que pod\u00eda suponer un posible vector de ataque. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no ejecuta autom\u00e1ticamente las consultas nativas ad hoc. Ahora el editor nativo muestra la consulta y da al usuario la opci\u00f3n de ejecutarla manualmente si lo desea"}], "lastModified": "2022-10-28T16:45:35.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42", "versionEndExcluding": "0.41.9", "versionStartIncluding": "0.41.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225", "versionEndExcluding": "0.42.6", "versionStartIncluding": "0.42.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48", "versionEndExcluding": "0.43.7", "versionStartIncluding": "0.43.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98", "versionEndExcluding": "0.44.5", "versionStartIncluding": "0.44.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99", "versionEndExcluding": "1.41.9", "versionStartIncluding": "1.41.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6", "versionEndExcluding": "1.42.6", "versionStartIncluding": "1.42.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479", "versionEndExcluding": "1.43.7", "versionStartIncluding": "1.43.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1", "versionEndExcluding": "1.44.5", "versionStartIncluding": "1.44.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}