CVE-2022-39362: Metabase vulnerable to arbitrary SQL execution from queryhash
First published: Wed Oct 26 2022(Updated: )
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Metabase | >=0.41.0<0.41.9 | |
| Metabase | >=0.42.0<0.42.6 | |
| Metabase | >=0.43.0<0.43.7 | |
| Metabase | >=0.44.0<0.44.5 | |
| Metabase | >=1.41.0<1.41.9 | |
| Metabase | >=1.42.0<1.42.6 | |
| Metabase | >=1.43.0<1.43.7 | |
| Metabase | >=1.44.0<1.44.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-39362?
CVE-2022-39362 is a vulnerability in Metabase data visualization software versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 that allows unsaved SQL queries to be auto-executed, creating a possible attack vector.
How severe is CVE-2022-39362?
CVE-2022-39362 has a severity score of 8.8 (high).
How can I check if my version of Metabase is affected by CVE-2022-39362?
To check if your version of Metabase is affected, compare the version number with the vulnerable versions: 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9.
How do I fix CVE-2022-39362?
To fix CVE-2022-39362, update Metabase to one of the patched versions: 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9.
Where can I find more information about CVE-2022-39362?
More information about CVE-2022-39362 can be found in the Metabase GitHub repository and the Metabase security advisories.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/title
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/metabase
- canonical/metabase
- version/metabase/0.41.0
- version/metabase/0.42.0
- version/metabase/0.43.0
- version/metabase/0.44.0
- version/metabase/1.41.0
- version/metabase/1.42.0
- version/metabase/1.43.0
- version/metabase/1.44.0