CVE-2022-39361
Last modified
CVE-2022-39361 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. EPSS estimates a 0.97% chance of exploitation in the next 30 days.
Description
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | >= 0.41.0, < 0.41.9 |
| Metabase | Metabase | >= 0.42.0, < 0.42.6 |
| Metabase | Metabase | >= 0.43.0, < 0.43.7 |
| Metabase | Metabase | >= 0.44.0, < 0.44.5 |
| Metabase | Metabase | >= 1.41.0, < 1.41.9 |
| Metabase | Metabase | >= 1.42.0, < 1.42.6 |
| Metabase | Metabase | >= 1.43.0, < 1.43.7 |
| Metabase | Metabase | >= 1.44.0, < 1.44.5 |
References
- https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88vThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88vThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-39361?
How severe is CVE-2022-39361?
How do I fix CVE-2022-39361?
Are you affected by CVE-2022-39361?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST