← Volver a CVEs
CVE-2022-39362
HIGH8.8
Descripcion
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado10/26/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
metabase:metabase
Debilidades (CWE)
CWE-356
Referencias
https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c(security-advisories@github.com)
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238(security-advisories@github.com)
https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.