Vulnerabilites related to metabase - metabase
Vulnerability from fkie_nvd
Published
2022-04-14 22:15
Modified
2024-11-21 06:51
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://secure77.de/metabase-ntlm-relay-attack/ | Exploit, Third Party Advisory | |
| security-advisories@github.com | https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://secure77.de/metabase-ntlm-relay-attack/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/ | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D78C572A-4BF8-4CA6-9154-4B89DA29AC0F",
"versionEndExcluding": "0.40.8",
"versionStartIncluding": "0.40.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "548FFDC4-010F-4B2C-995F-41F540995B0E",
"versionEndExcluding": "0.41.7",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9282AB8-E8AF-4431-9BED-D1427CDF81BE",
"versionEndExcluding": "0.42.4",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87B12439-8DDB-47C4-B599-CBCE18625655",
"versionEndExcluding": "1.40.8",
"versionStartIncluding": "1.40.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E19CC33-86D1-42B3-8EBC-3642FF59A5AC",
"versionEndExcluding": "1.41.7",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0661FFDD-F667-4818-8EB3-B42E9E7001F2",
"versionEndExcluding": "1.42.4",
"versionStartIncluding": "1.42.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
},
{
"lang": "es",
"value": "Metabase es una aplicaci\u00f3n de an\u00e1lisis e inteligencia empresarial de c\u00f3digo abierto. Metabase presenta un proxy para cargar URLs arbitrarias para mapas JSON como parte de nuestro soporte GeoJSON. Mientras comprobamos que no sea devuelto el contenido de URLs arbitrarias, se presenta un caso en el que una petici\u00f3n especialmente dise\u00f1ada podr\u00eda resultar en un acceso a un archivo en Windows, lo que permite habilitar un \"Ataque de retransmisi\u00f3n NTLM\", permitiendo potencialmente a un atacante recibir el hash de la contrase\u00f1a del sistema. Si usted usa Windows y est\u00e1 en esta versi\u00f3n de Metabase, por favor actualice inmediatamente. Los siguientes parches (o versiones superiores) est\u00e1n disponibles: versiones 0.42.4 y 1.42.4, 0.41.7 y 1.41.7, 0.40.8 y 1.40.8"
}
],
"id": "CVE-2022-24853",
"lastModified": "2024-11-21T06:51:14.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T22:15:08.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://secure77.de/metabase-ntlm-relay-attack/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://secure77.de/metabase-ntlm-relay-attack/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 19:15
Modified
2024-11-21 07:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, los usuarios de inicio de sesi\u00f3n \u00fanico (SSO) pod\u00edan restablecer sus contrase\u00f1as en Metabase, lo que pod\u00eda permitir el acceso de un usuario sin pasar por el IdP de SSO. Este problema ha sido corregido en las versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ahora bloquea el restablecimiento de la contrase\u00f1a para todos los usuarios que usan SSO para su inicio de sesi\u00f3n en Metabase"
}
],
"id": "CVE-2022-39360",
"lastModified": "2024-11-21T07:18:06.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:13.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-304"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 18:15
Modified
2024-11-21 07:27
Severity ?
Summary
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnreport@tenable.com | https://www.tenable.com/security/research/tra-2022-34 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.tenable.com/security/research/tra-2022-34 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C57FB3B9-857A-4DB4-8BC9-6E5B591F408F",
"versionEndExcluding": "0.44.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The url parameter of the /api/geojson endpoint in Metabase versions \u003c44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects."
},
{
"lang": "es",
"value": "El par\u00e1metro url del endpoint /api/geojson en Metabase versiones anteriores a 44.5, puede ser usado para llevar a cabo ataques de tipo Server Side Request Forgery. Las listas negras implementadas anteriormente pod\u00edan ser omitidas aprovechando los redireccionamientos 301 y 302"
}
],
"id": "CVE-2022-43776",
"lastModified": "2024-11-21T07:27:12.897",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T18:15:11.087",
"references": [
{
"source": "vulnreport@tenable.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2022-34"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2022-34"
}
],
"sourceIdentifier": "vulnreport@tenable.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-17 20:15
Modified
2025-02-18 14:44
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
References
Impacted products
{
"cisaActionDue": "2024-12-03",
"cisaExploitAdd": "2024-11-12",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Metabase GeoJSON API Local File Inclusion Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*",
"matchCriteriaId": "AF64F422-9B51-4949-A9B3-459C77B37C8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*",
"matchCriteriaId": "3F3694D1-A2D8-4451-B4E2-498EDF5B93C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*",
"matchCriteriaId": "7BA0D68D-DF27-4726-A893-8D1BCAA39842",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*",
"matchCriteriaId": "B2C59AA8-0BA6-4EB1-9121-D84C805E6A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*",
"matchCriteriaId": "BB23EBC1-F524-416B-99F6-143B97D64B01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*",
"matchCriteriaId": "310FB743-2F8A-415C-AF7B-20BCEF0C464E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "511B7873-4908-4B1B-B55B-DC90A3BBE659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5C9DE222-5F6B-42E3-9B5B-DB9EE05C4FD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "FA1F16C0-63AA-49B5-A28D-D63BA97D07B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5AA701CB-58B6-4B17-ABCC-B12F2DB9F2A3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin-\u003esettings-\u003emaps-\u003ecustom maps-\u003eadd a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you\u2019re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. En las versiones afectadas se ha detectado un problema de seguridad con el soporte de mapas GeoJSON personalizados (\"admin-\u0026gt;settings-\u0026gt;maps-\u0026gt;custom maps-\u0026gt;add a map\") y la posible inclusi\u00f3n de archivos locales (incluyendo variables de entorno). Las URLs no se comprueban antes de ser cargadas. Este problema se ha corregido en una nueva versi\u00f3n de mantenimiento (0.40.5 y 1.40.5), y en cualquier otra versi\u00f3n posterior. Si no puede actualizar inmediatamente, puede mitigar esto incluyendo reglas en su proxy inverso o balanceador de carga o WAF para proporcionar un filtro de comprobaci\u00f3n antes de la aplicaci\u00f3n."
}
],
"id": "CVE-2021-41277",
"lastModified": "2025-02-18T14:44:41.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2021-11-17T20:15:10.587",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 19:15
Modified
2024-11-21 07:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, H2 (base de datos de muestra) pod\u00eda permitir una ejecuci\u00f3n de c\u00f3digo remota (RCE), de la que pod\u00edan abusar los usuarios capaces de escribir consultas SQL en las bases de datos H2. Este problema est\u00e1 parcheado en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no permite las sentencias DDL en las consultas nativas H2"
}
],
"id": "CVE-2022-39361",
"lastModified": "2024-11-21T07:18:07.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:14.707",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-441"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 22:15
Modified
2024-11-21 06:51
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/metabase/metabase/releases/tag/v0.42.4 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/releases/tag/v0.42.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr | Release Notes, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D78C572A-4BF8-4CA6-9154-4B89DA29AC0F",
"versionEndExcluding": "0.40.8",
"versionStartIncluding": "0.40.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "548FFDC4-010F-4B2C-995F-41F540995B0E",
"versionEndExcluding": "0.41.7",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9282AB8-E8AF-4431-9BED-D1427CDF81BE",
"versionEndExcluding": "0.42.4",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87B12439-8DDB-47C4-B599-CBCE18625655",
"versionEndExcluding": "1.40.8",
"versionStartIncluding": "1.40.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E19CC33-86D1-42B3-8EBC-3642FF59A5AC",
"versionEndExcluding": "1.41.7",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0661FFDD-F667-4818-8EB3-B42E9E7001F2",
"versionEndExcluding": "1.42.4",
"versionStartIncluding": "1.42.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
},
{
"lang": "es",
"value": "Metabase es una aplicaci\u00f3n de an\u00e1lisis e inteligencia empresarial de c\u00f3digo abierto. En las versiones afectadas, Metabase es enviado con un endpoint de desarrollo interno \"/_internal\" que puede permitir ataques de tipo cross site scripting (XSS), conllevando potencialmente a intentos de suplantaci\u00f3n de identidad con enlaces maliciosos que podr\u00edan conducir a una toma de posesi\u00f3n de la cuenta. Es recomendado a usuarios actualizar inmediatamente o bloquear el acceso en su firewall a los endpoints \"/_internal\" de Metabase. Est\u00e1n disponibles los siguientes parches (o versiones superiores): versiones 0.42.4 y 1.42.4, 0.41.7 y 1.41.7, 0.40.8 y 1.40.8"
}
],
"id": "CVE-2022-24855",
"lastModified": "2024-11-21T06:51:14.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T22:15:08.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.42.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.42.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 22:15
Modified
2024-11-21 06:51
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://www.sqlite.org/lang_attach.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sqlite.org/lang_attach.html | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "548FFDC4-010F-4B2C-995F-41F540995B0E",
"versionEndExcluding": "0.41.7",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9282AB8-E8AF-4431-9BED-D1427CDF81BE",
"versionEndExcluding": "0.42.4",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E19CC33-86D1-42B3-8EBC-3642FF59A5AC",
"versionEndExcluding": "1.41.7",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0661FFDD-F667-4818-8EB3-B42E9E7001F2",
"versionEndExcluding": "1.42.4",
"versionStartIncluding": "1.42.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you\u0027re unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected."
},
{
"lang": "es",
"value": "Metabase es una aplicaci\u00f3n de an\u00e1lisis e inteligencia empresarial de c\u00f3digo abierto. SQLite presenta una caracter\u00edstica similar a FDW llamada \"ATTACH DATABASE\", que permite conectar m\u00faltiples bases de datos SQLite por medio de la conexi\u00f3n inicial. Si el atacante presenta permisos de SQL en al menos una base de datos SQLite, entonces puede adjuntar esta base de datos a una segunda base de datos, y entonces puede consultar todas las tablas. Para poder hacer esto, el atacante tambi\u00e9n necesita conocer la ruta del archivo de la segunda base de datos. Es recomendado a usuarios actualizar lo antes posible. Si no puedes actualizar, puedes modificar tus cadenas de conexi\u00f3n SQLIte para que contengan el argumento url \"?limit_attached=0\", que deshabilitar\u00e1 la realizaci\u00f3n de conexiones a otras bases de datos SQLite. S\u00f3lo estar\u00e1n afectados los usuarios que usen SQLite"
}
],
"id": "CVE-2022-24854",
"lastModified": "2024-11-21T06:51:14.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T22:15:08.110",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sqlite.org/lang_attach.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sqlite.org/lang_attach.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-610"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 19:15
Modified
2024-11-21 07:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default)."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, las direcciones URL de los mapas GeoJSON personalizados segu\u00edan redireccionamientos a direcciones que no estaban permitidas, como link-local o private-network. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no sigue los redireccionamientos en las URL de mapas GeoJSON. Tambi\u00e9n fue a\u00f1adida una variable de entorno \"MB_CUSTOM_GEOJSON_ENABLED\" para deshabilitar completamente el GeoJSON personalizado (\"true\" por defecto)"
}
],
"id": "CVE-2022-39359",
"lastModified": "2024-11-21T07:18:06.803",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:12.410",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-28 02:15
Modified
2024-11-21 07:46
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C",
"versionEndExcluding": "0.43.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5",
"versionEndExcluding": "0.44.6.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3",
"versionEndExcluding": "0.45.2.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505",
"versionEndExcluding": "1.43.7.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44",
"versionEndExcluding": "1.44.6.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31",
"versionEndExcluding": "1.45.2.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds."
}
],
"id": "CVE-2023-23628",
"lastModified": "2024-11-21T07:46:34.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T02:15:07.797",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-18 23:15
Modified
2024-11-21 08:03
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "224A57A1-0426-402D-B2AB-A7909F995D27",
"versionEndExcluding": "0.44.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "426C2FA2-C43E-4E09-8995-26E4E8254C9C",
"versionEndExcluding": "0.45.4",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D569869-9451-48ED-8C82-CFC560A830E5",
"versionEndExcluding": "0.46.3",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6024329D-A315-45C7-BE88-9AE30787DACE",
"versionEndExcluding": "1.44.7",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C8547BD-E4C3-45EB-9294-A9CDF88303EE",
"versionEndExcluding": "1.45.4",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3A7E247-05AE-43A6-A924-CB6B62679CD7",
"versionEndExcluding": "1.46.3",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"id": "CVE-2023-32680",
"lastModified": "2024-11-21T08:03:50.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-18T23:15:09.783",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30854"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30854"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-28 02:15
Modified
2024-11-21 07:46
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C",
"versionEndExcluding": "0.43.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5",
"versionEndExcluding": "0.44.6.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3",
"versionEndExcluding": "0.45.2.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505",
"versionEndExcluding": "1.43.7.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44",
"versionEndExcluding": "1.44.6.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31",
"versionEndExcluding": "1.45.2.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a una gesti\u00f3n de privilegios inadecuada. Seg\u00fan lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripci\u00f3n. Esto permite que alguien con mayor acceso a los datos cree una suscripci\u00f3n al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripci\u00f3n reciban los mismos datos: los gr\u00e1ficos que se muestran en el correo electr\u00f3nico cumplir\u00e1n con los privilegios del usuario que cre\u00f3 la suscripci\u00f3n. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripci\u00f3n al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a m\u00e1s datos por correo electr\u00f3nico. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso \"Suscripciones y alertas\" para grupos que tienen permisos de datos restringidos, como workaround."
}
],
"id": "CVE-2023-23629",
"lastModified": "2024-11-21T07:46:34.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T02:15:07.900",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-15 15:29
Modified
2024-11-21 03:38
Severity ?
Summary
Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | http://jvn.jp/en/jp/JVN14323043/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://metabase.com/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jvn.jp/en/jp/JVN14323043/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://metabase.com/ | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1949B729-3969-4C37-8B52-0ACC1FADA6EF",
"versionEndIncluding": "0.29.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-Site Scripting (XSS) en Metabase, en versiones 0.29.3 y anteriores, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados."
}
],
"id": "CVE-2018-0697",
"lastModified": "2024-11-21T03:38:46.097",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-15T15:29:01.160",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN14323043/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://metabase.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN14323043/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://metabase.com/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 19:15
Modified
2024-11-21 07:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, eran auto ejecutadas las consultas SQL no guardadas, lo que pod\u00eda suponer un posible vector de ataque. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no ejecuta autom\u00e1ticamente las consultas nativas ad hoc. Ahora el editor nativo muestra la consulta y da al usuario la opci\u00f3n de ejecutarla manualmente si lo desea"
}
],
"id": "CVE-2022-39362",
"lastModified": "2024-11-21T07:18:07.203",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:15.800",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-356"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-26 19:15
Modified
2024-11-21 07:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6, era posible omitir los par\u00e1metros bloqueados cuando se solicitaban datos para una pregunta en un tablero de mando insertado al construir una petici\u00f3n maliciosa al backend. Este problema est\u00e1 parcheado en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6"
}
],
"id": "CVE-2022-39358",
"lastModified": "2024-11-21T07:18:06.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:10.240",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-667"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-04 16:15
Modified
2024-11-21 08:11
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 | Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 | Mitigation, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "AFE116C8-B5B5-48CE-873D-1E508D1A656A",
"versionEndExcluding": "0.43.7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "97C698D2-6F8A-4BD4-BC29-80086F1F87C0",
"versionEndExcluding": "1.43.7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "36C340AD-358E-478B-B75C-4A0A8F52F6C6",
"versionEndExcluding": "0.44.7.3",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "A23C9D19-21F7-4529-8CF7-C20DACA524F3",
"versionEndExcluding": "0.45.4.3",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "87EA14BE-A683-44D4-904D-3DEB8A672958",
"versionEndExcluding": "0.46.6.4",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4F52A25-3933-4D5D-A69F-073D31C079D2",
"versionEndExcluding": "1.44.7.3",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0ECC070D-27E2-40A2-A0D4-E818CBAB857D",
"versionEndExcluding": "1.45.4.3",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "E025C478-8650-4B5E-B92F-9ACD2AA4C8C2",
"versionEndExcluding": "1.46.6.4",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one\u0027s Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite."
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis e inteligencia empresarial de c\u00f3digo abierto. Antes de las versiones 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3 y 1.46.6.4, una vulnerabilidad pod\u00eda permitir la ejecuci\u00f3n remota de c\u00f3digo en el servidor Metabase. El problema central es que uno de los almacenes de datos soportados (una base de datos en memoria embebida H2), expone un varias maneras para que una cadena de conexi\u00f3n incluya c\u00f3digo que luego es ejecutado por el proceso que ejecuta la base de datos embebida. Debido a que Metabase permite a los usuarios conectarse a bases de datos, esto significa que una cadena suministrada por el usuario puede ser utilizada para inyectar c\u00f3digo ejecutable. Metabase permite a los usuarios validar su cadena de conexi\u00f3n antes de a\u00f1adir una base de datos (incluso en la configuraci\u00f3n), y esta API de validaci\u00f3n fue el principal vector utilizado, ya que puede ser llamada sin validaci\u00f3n. Las versiones 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3 y 1.46.6.4 solucionan este problema eliminando por completo la posibilidad de que los usuarios a\u00f1adan bases de datos H2. Como soluci\u00f3n, es posible bloquear estas vulnerabilidades a nivel de red bloqueando los endpoints `POST /api/database`, `PUT /api/database/:id`, y `POST /api/setup/validateuntil`. Quienes utilicen H2 como base de datos basada en ficheros deber\u00edan migrar a SQLite."
}
],
"id": "CVE-2023-37470",
"lastModified": "2024-11-21T08:11:46.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-04T16:15:09.610",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-21 15:15
Modified
2024-11-21 08:13
Severity ?
Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "5AE3BE02-E7B9-43CB-8FBA-001F5D8E24ED",
"versionEndExcluding": "0.43.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6591576F-15AC-493F-96B4-6F3E1E5D1350",
"versionEndExcluding": "1.43.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "90CEC6C0-C2EE-496D-BBE0-DBC83717F211",
"versionEndExcluding": "0.44.7.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "EC4D0A9A-F084-403A-83BF-F1C56470B845",
"versionEndExcluding": "0.45.4.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "BEA5EEF8-7F70-4D40-9EB6-8BB5226E281E",
"versionEndExcluding": "0.46.6.1",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "825F5E14-49FC-4A8A-87FE-FA039D121F99",
"versionEndExcluding": "1.44.7.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C20D76CF-15B4-49C3-8F3A-8417B5C8016B",
"versionEndExcluding": "1.45.4.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "47767C52-13CC-4164-84DC-54E3BDC1C590",
"versionEndExcluding": "1.46.6.1",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server\u0027s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2."
}
],
"id": "CVE-2023-38646",
"lastModified": "2024-11-21T08:13:58.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-21T15:15:10.003",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.metabase.com/blog/security-advisory"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2022-39361
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.41.9"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.6"
},
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.43.7"
},
{
"status": "affected",
"version": "\u003e= 0.44.0, \u003c 0.44.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.41.9"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.6"
},
{
"status": "affected",
"version": "\u003e= 1.43.0, \u003c 1.43.7"
},
{
"status": "affected",
"version": "\u003e= 1.44.0, \u003c 1.44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
}
],
"source": {
"advisory": "GHSA-gqpj-wcr3-p88v",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to Remote Code Execution via H2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39361",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:44.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39360
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.41.9"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.6"
},
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.43.7"
},
{
"status": "affected",
"version": "\u003e= 0.44.0, \u003c 0.44.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.41.9"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.6"
},
{
"status": "affected",
"version": "\u003e= 1.43.0, \u003c 1.43.7"
},
{
"status": "affected",
"version": "\u003e= 1.44.0, \u003c 1.44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-304",
"description": "CWE-304: Missing Critical Step in Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
},
{
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
}
],
"source": {
"advisory": "GHSA-gw4g-ww2m-v7vc",
"discovery": "UNKNOWN"
},
"title": "Metabase SSO users able to circumvent IdP login by doing password reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39360",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:44.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-27141
Vulnerability from cvelistv5
Published
2025-02-24 22:05
Modified
2025-02-25 14:31
Severity ?
EPSS score ?
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p | x_refsource_CONFIRM | |
| https://www.metabase.com/docs/latest/configuring-metabase/caching | x_refsource_MISC | |
| https://www.metabase.com/docs/latest/permissions/impersonation | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:31:15.032552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:31:28.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.47.0, \u003c 1.50.36"
},
{
"status": "affected",
"version": "\u003e= 1.51.0, \u003c 1.51.14"
},
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.51.11"
},
{
"status": "affected",
"version": "\u003e= 1.53.0, \u003c 1.53.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T22:05:14.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
},
{
"name": "https://www.metabase.com/docs/latest/configuring-metabase/caching",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
},
{
"name": "https://www.metabase.com/docs/latest/permissions/impersonation",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/permissions/impersonation"
}
],
"source": {
"advisory": "GHSA-6cc4-h534-xh5p",
"discovery": "UNKNOWN"
},
"title": "Metabase Enterprise Edition allows cached questions to leak data to impersonated users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27141",
"datePublished": "2025-02-24T22:05:14.188Z",
"dateReserved": "2025-02-19T16:30:47.777Z",
"dateUpdated": "2025-02-25T14:31:28.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41277
Vulnerability from cvelistv5
Published
2021-11-17 20:05
Modified
2024-11-13 14:17
Severity ?
EPSS score ?
Summary
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr | x_refsource_CONFIRM | |
| https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"lessThan": "0.40.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.40.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"dateAdded": "2024-11-12",
"reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
},
"type": "kev"
}
},
{
"other": {
"content": {
"id": "CVE-2021-41277",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T14:15:46.325821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T14:17:56.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.40.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.40.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin-\u003esettings-\u003emaps-\u003ecustom maps-\u003eadd a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you\u2019re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T20:05:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0"
}
],
"source": {
"advisory": "GHSA-w73v-6p7p-fpfr",
"discovery": "UNKNOWN"
},
"title": "GeoJSON URL validation can expose server files and environment variables to unauthorized users",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41277",
"STATE": "PUBLIC",
"TITLE": "GeoJSON URL validation can expose server files and environment variables to unauthorized users"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metabase",
"version": {
"version_data": [
{
"version_value": "\u003c 0.40.5"
},
{
"version_value": "\u003e= 1.0.0, \u003c 1.40.5"
}
]
}
}
]
},
"vendor_name": "metabase"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin-\u003esettings-\u003emaps-\u003ecustom maps-\u003eadd a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you\u2019re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr",
"refsource": "CONFIRM",
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr"
},
{
"name": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0",
"refsource": "MISC",
"url": "https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0"
}
]
},
"source": {
"advisory": "GHSA-w73v-6p7p-fpfr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41277",
"datePublished": "2021-11-17T20:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-11-13T14:17:56.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23628
Vulnerability from cvelistv5
Published
2023-01-28 01:11
Modified
2024-08-02 10:35
Severity ?
EPSS score ?
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:11:16.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"source": {
"advisory": "GHSA-492f-qxr3-9rrv",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23628",
"datePublished": "2023-01-28T01:11:16.710Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2024-08-02T10:35:33.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-55951
Vulnerability from cvelistv5
Published
2024-12-16 20:03
Modified
2024-12-17 15:17
Severity ?
EPSS score ?
Summary
Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3 | x_refsource_CONFIRM | |
| https://downloads.metabase.com/v0.52.2.5/metabase.jar | x_refsource_MISC | |
| https://hub.docker.com/r/metabase/metabase/tags | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T15:17:06.667171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T15:17:36.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.52.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:03:54.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3"
},
{
"name": "https://downloads.metabase.com/v0.52.2.5/metabase.jar",
"tags": [
"x_refsource_MISC"
],
"url": "https://downloads.metabase.com/v0.52.2.5/metabase.jar"
},
{
"name": "https://hub.docker.com/r/metabase/metabase/tags",
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/metabase/metabase/tags"
}
],
"source": {
"advisory": "GHSA-rhjf-q2qw-rvx3",
"discovery": "UNKNOWN"
},
"title": "Metabase sandboxed users could see filter values from other sandboxed users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55951",
"datePublished": "2024-12-16T20:03:54.861Z",
"dateReserved": "2024-12-13T17:47:38.371Z",
"dateUpdated": "2024-12-17T15:17:36.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39362
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.41.9"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.6"
},
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.43.7"
},
{
"status": "affected",
"version": "\u003e= 0.44.0, \u003c 0.44.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.41.9"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.6"
},
{
"status": "affected",
"version": "\u003e= 1.43.0, \u003c 1.43.7"
},
{
"status": "affected",
"version": "\u003e= 1.44.0, \u003c 1.44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-356",
"description": "CWE-356: Product UI does not Warn User of Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
},
{
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
}
],
"source": {
"advisory": "GHSA-93wj-fgjg-r238",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to arbitrary SQL execution from queryhash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39362",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:44.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-43776
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 13:40
Severity ?
EPSS score ?
Summary
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2022-34"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metabase",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The url parameter of the /api/geojson endpoint in Metabase versions \u003c44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2022-34"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2022-43776",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-10-26T00:00:00",
"dateUpdated": "2024-08-03T13:40:06.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38646
Vulnerability from cvelistv5
Published
2023-07-21 00:00
Modified
2024-08-02 17:46
Severity ?
EPSS score ?
Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server\u0027s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T16:05:58.126975",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38646",
"datePublished": "2023-07-21T00:00:00",
"dateReserved": "2023-07-21T00:00:00",
"dateUpdated": "2024-08-02T17:46:56.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-23629
Vulnerability from cvelistv5
Published
2023-01-28 01:23
Modified
2024-08-02 10:35
Severity ?
EPSS score ?
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:23:33.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"source": {
"advisory": "GHSA-ch8f-hhq9-7gv5",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Improper Privilege Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23629",
"datePublished": "2023-01-28T01:23:33.300Z",
"dateReserved": "2023-01-16T17:07:46.245Z",
"dateUpdated": "2024-08-02T10:35:33.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32680
Vulnerability from cvelistv5
Published
2023-05-18 22:55
Modified
2025-02-12 16:38
Severity ?
EPSS score ?
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv | x_refsource_CONFIRM | |
| https://github.com/metabase/metabase/pull/30852 | x_refsource_MISC | |
| https://github.com/metabase/metabase/pull/30853 | x_refsource_MISC | |
| https://github.com/metabase/metabase/pull/30854 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T19:09:31.091603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:38:47.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.7"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.44.7"
},
{
"status": "affected",
"version": "\u003e= 0.45.0, \u003c 0.45.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.45.4"
},
{
"status": "affected",
"version": "\u003e= 0.46.0, \u003c 0.46.3"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.46.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T22:55:30.636Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"source": {
"advisory": "GHSA-mw6j-f894-4qxv",
"discovery": "UNKNOWN"
},
"title": "Missing SQL permissions check in metabase"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32680",
"datePublished": "2023-05-18T22:55:30.636Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:38:47.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24854
Vulnerability from cvelistv5
Published
2022-04-14 21:40
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329 | x_refsource_CONFIRM | |
| https://www.sqlite.org/lang_attach.html | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sqlite.org/lang_attach.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.41.0, \u003c 1.41.7"
},
{
"status": "affected",
"version": "\u003e= 0.41.0, \u003c 0.41.7"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.4"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you\u0027re unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T21:40:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sqlite.org/lang_attach.html"
}
],
"source": {
"advisory": "GHSA-vm79-xvmp-7329",
"discovery": "UNKNOWN"
},
"title": "Database bypassing any permissions in Metabase via SQlite attach",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24854",
"STATE": "PUBLIC",
"TITLE": "Database bypassing any permissions in Metabase via SQlite attach"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metabase",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.41.0, \u003c 1.41.7"
},
{
"version_value": "\u003e= 0.41.0, \u003c 0.41.7"
},
{
"version_value": "\u003e= 1.42.0, \u003c 1.42.4"
},
{
"version_value": "\u003e= 0.42.0, \u003c 0.42.4"
}
]
}
}
]
},
"vendor_name": "metabase"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you\u0027re unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329",
"refsource": "CONFIRM",
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329"
},
{
"name": "https://www.sqlite.org/lang_attach.html",
"refsource": "MISC",
"url": "https://www.sqlite.org/lang_attach.html"
}
]
},
"source": {
"advisory": "GHSA-vm79-xvmp-7329",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24854",
"datePublished": "2022-04-14T21:40:11",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39358
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.42.6"
},
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.43.7"
},
{
"status": "affected",
"version": "\u003e= 0.44.0, \u003c 0.44.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.42.6"
},
{
"status": "affected",
"version": "\u003e= 1.43.0, \u003c 1.43.7"
},
{
"status": "affected",
"version": "\u003e= 1.44.0, \u003c 1.44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3"
}
],
"source": {
"advisory": "GHSA-8qgm-9mj6-36h3",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to circumvention of Locked parameter in Signed Embedding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39358",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:44.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39359
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default).
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.41.9"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.6"
},
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.43.7"
},
{
"status": "affected",
"version": "\u003e= 0.44.0, \u003c 0.44.5"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.41.9"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.6"
},
{
"status": "affected",
"version": "\u003e= 1.43.0, \u003c 1.43.7"
},
{
"status": "affected",
"version": "\u003e= 1.44.0, \u003c 1.44.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4"
},
{
"url": "https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e"
}
],
"source": {
"advisory": "GHSA-w5j7-4mgm-77f4",
"discovery": "UNKNOWN"
},
"title": "Metabase\u0027s GeoJSON validation doesn\u0027t prevent redirects to blocked URLs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39359",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:44.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-0697
Vulnerability from cvelistv5
Published
2018-11-15 15:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN14323043/index.html | third-party-advisory, x_refsource_JVN | |
| https://metabase.com/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Metabase, Inc. | Metabase |
Version: version 0.29.3 and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#14323043",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN14323043/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://metabase.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metabase",
"vendor": "Metabase, Inc.",
"versions": [
{
"status": "affected",
"version": "version 0.29.3 and earlier"
}
]
}
],
"datePublic": "2018-11-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-15T14:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#14323043",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN14323043/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://metabase.com/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0697",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metabase",
"version": {
"version_data": [
{
"version_value": "version 0.29.3 and earlier"
}
]
}
}
]
},
"vendor_name": "Metabase, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#14323043",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN14323043/index.html"
},
{
"name": "https://metabase.com/",
"refsource": "MISC",
"url": "https://metabase.com/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0697",
"datePublished": "2018-11-15T15:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37470
Vulnerability from cvelistv5
Published
2023-08-04 15:12
Modified
2024-10-17 14:54
Severity ?
EPSS score ?
Summary
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:54:25.239902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:54:36.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.44.0.0, \u003c 0.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.45.0.0, \u003c 0.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 0.46.0.0, \u003c 0.46.6.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.44.0.0, \u003c 1.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.45.0.0, \u003c 1.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 1.46.0.0, \u003c 1.46.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one\u0027s Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T15:12:43.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"source": {
"advisory": "GHSA-p7w3-9m58-rq83",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37470",
"datePublished": "2023-08-04T15:12:43.188Z",
"dateReserved": "2023-07-06T13:01:36.998Z",
"dateUpdated": "2024-10-17T14:54:36.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24855
Vulnerability from cvelistv5
Published
2022-04-14 21:35
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr | x_refsource_CONFIRM | |
| https://github.com/metabase/metabase/releases/tag/v0.42.4 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.42.4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.40.0, \u003c 1.40.8"
},
{
"status": "affected",
"version": "\u003e= 0.40.0, \u003c 0.40.8"
},
{
"status": "affected",
"version": "\u003e= 1.41.0, \u003c 1.41.7"
},
{
"status": "affected",
"version": "\u003e= 0.41.0, \u003c 0.41.7"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.4"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T21:35:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.42.4"
}
],
"source": {
"advisory": "GHSA-wjw6-wm9w-7ggr",
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability in Metabase",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24855",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability in Metabase"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metabase",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.40.0, \u003c 1.40.8"
},
{
"version_value": "\u003e= 0.40.0, \u003c 0.40.8"
},
{
"version_value": "\u003e= 1.41.0, \u003c 1.41.7"
},
{
"version_value": "\u003e= 0.41.0, \u003c 0.41.7"
},
{
"version_value": "\u003e= 1.42.0, \u003c 1.42.4"
},
{
"version_value": "\u003e= 0.42.0, \u003c 0.42.4"
}
]
}
}
]
},
"vendor_name": "metabase"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr",
"refsource": "CONFIRM",
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr"
},
{
"name": "https://github.com/metabase/metabase/releases/tag/v0.42.4",
"refsource": "MISC",
"url": "https://github.com/metabase/metabase/releases/tag/v0.42.4"
}
]
},
"source": {
"advisory": "GHSA-wjw6-wm9w-7ggr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24855",
"datePublished": "2022-04-14T21:35:11",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24853
Vulnerability from cvelistv5
Published
2022-04-14 21:45
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m | x_refsource_CONFIRM | |
| https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/ | x_refsource_MISC | |
| https://secure77.de/metabase-ntlm-relay-attack/ | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://secure77.de/metabase-ntlm-relay-attack/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.40.0, \u003c 1.40.7"
},
{
"status": "affected",
"version": "\u003e= 0.40.0, \u003c 0.40.7"
},
{
"status": "affected",
"version": "\u003e= 1.41.0, \u003c 1.41.6"
},
{
"status": "affected",
"version": "\u003e= 0.41.0, \u003c 0.41.6"
},
{
"status": "affected",
"version": "\u003e= 1.42.0, \u003c 1.42.3"
},
{
"status": "affected",
"version": "\u003e= 0.42.0, \u003c 0.42.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:11:26",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://secure77.de/metabase-ntlm-relay-attack/"
}
],
"source": {
"advisory": "GHSA-5cfq-582c-c38m",
"discovery": "UNKNOWN"
},
"title": "File system exposure in Metabase",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24853",
"STATE": "PUBLIC",
"TITLE": "File system exposure in Metabase"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metabase",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.40.0, \u003c 1.40.7"
},
{
"version_value": "\u003e= 0.40.0, \u003c 0.40.7"
},
{
"version_value": "\u003e= 1.41.0, \u003c 1.41.6"
},
{
"version_value": "\u003e= 0.41.0, \u003c 0.41.6"
},
{
"version_value": "\u003e= 1.42.0, \u003c 1.42.3"
},
{
"version_value": "\u003e= 0.42.0, \u003c 0.42.3"
}
]
}
}
]
},
"vendor_name": "metabase"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m",
"refsource": "CONFIRM",
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-5cfq-582c-c38m"
},
{
"name": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/",
"refsource": "MISC",
"url": "https://www.qomplx.com/qomplx-knowledge-ntlm-relay-attacks-explained/"
},
{
"name": "https://secure77.de/metabase-ntlm-relay-attack/",
"refsource": "MISC",
"url": "https://secure77.de/metabase-ntlm-relay-attack/"
}
]
},
"source": {
"advisory": "GHSA-5cfq-582c-c38m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24853",
"datePublished": "2022-04-14T21:45:16",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}