Metabase vulnerable to arbitrary SQL execution from queryhash
CVE-2022-39362

8.8HIGH

Key Information:

Vendor: Metabase
Status: Metabase
Vendor: CVE Published:; 26 October 2022

What is CVE-2022-39362?

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

metabase < 0.41.9 < 0.41.9

metabase >= 0.42.0, < 0.42.6 < 0.42.0, 0.42.6

metabase >= 0.43.0, < 0.43.7 < 0.43.0, 0.43.7

References

https://github.com/metabase/metabase/security/advisories/...

https://github.com/metabase/metabase/commit/b7c6bb905a918...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 26, 2022
Vulnerability Reserved
Sep 2, 2022

JSON

Metabase

What is CVE-2022-39362?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.