Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
CVE-2022-39358

6.5MEDIUM

Key Information:

Vendor: Metabase
Status: Metabase
Vendor: CVE Published:; 26 October 2022

What is CVE-2022-39358?

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.

Affected Version(s)

metabase < 0.42.6 < 0.42.6

metabase >= 0.43.0, < 0.43.7 < 0.43.0, 0.43.7

metabase >= 0.44.0, < 0.44.5 < 0.44.0, 0.44.5

References

https://github.com/metabase/metabase/security/advisories/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 26, 2022
Vulnerability Reserved
Sep 2, 2022