CVE-2022-39362 (GCVE-0-2022-39362)

Vulnerability from cvelistv5 – Published: 2022-10-26 00:00 – Updated: 2025-04-23 16:42
VLAI?
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-356 - Product UI does not Warn User of Unsafe Actions
Assigner
References
Impacted products
Vendor Product Version
metabase metabase Affected: < 0.41.9
Affected: >= 0.42.0, < 0.42.6
Affected: >= 0.43.0, < 0.43.7
Affected: >= 0.44.0, < 0.44.5
Affected: >= 1.0.0, < 1.41.9
Affected: >= 1.42.0, < 1.42.6
Affected: >= 1.43.0, < 1.43.7
Affected: >= 1.44.0, < 1.44.5
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:44.081Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39362",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:47:19.634079Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:42:26.901Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "metabase",
          "vendor": "metabase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.41.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.42.0, \u003c 0.42.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.43.0, \u003c 0.43.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.44.0, \u003c 0.44.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.41.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.42.0, \u003c 1.42.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.43.0, \u003c 1.43.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.44.0, \u003c 1.44.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-356",
              "description": "CWE-356: Product UI does not Warn User of Unsafe Actions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-26T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
        },
        {
          "url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
        }
      ],
      "source": {
        "advisory": "GHSA-93wj-fgjg-r238",
        "discovery": "UNKNOWN"
      },
      "title": "Metabase vulnerable to arbitrary SQL execution from queryhash"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39362",
    "datePublished": "2022-10-26T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:42:26.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.41.0\", \"versionEndExcluding\": \"0.41.9\", \"matchCriteriaId\": \"BCD50540-E323-41CE-9D9C-EDA8CB718E42\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.42.0\", \"versionEndExcluding\": \"0.42.6\", \"matchCriteriaId\": \"EF01C7BF-CB4C-4990-9082-587CFD555225\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.43.0\", \"versionEndExcluding\": \"0.43.7\", \"matchCriteriaId\": \"8858058E-C597-4752-8625-9B279DC65A48\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.44.0\", \"versionEndExcluding\": \"0.44.5\", \"matchCriteriaId\": \"6A94F7EA-BC18-4013-9A93-7962226FDD98\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.41.0\", \"versionEndExcluding\": \"1.41.9\", \"matchCriteriaId\": \"804B84E1-5D1A-4251-9829-65F5FD927D99\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.42.0\", \"versionEndExcluding\": \"1.42.6\", \"matchCriteriaId\": \"73310924-8CD4-4696-89B9-EED3390375A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.43.0\", \"versionEndExcluding\": \"1.43.7\", \"matchCriteriaId\": \"A86AA0C8-2C4F-4DDD-8371-6B43611E2479\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.44.0\", \"versionEndExcluding\": \"1.44.5\", \"matchCriteriaId\": \"EF7A60F6-5062-4094-91A5-71445F9B7BC1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.\"}, {\"lang\": \"es\", \"value\": \"Metabase es un software de visualizaci\\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, eran auto ejecutadas las consultas SQL no guardadas, lo que pod\\u00eda suponer un posible vector de ataque. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no ejecuta autom\\u00e1ticamente las consultas nativas ad hoc. Ahora el editor nativo muestra la consulta y da al usuario la opci\\u00f3n de ejecutarla manualmente si lo desea\"}]",
      "id": "CVE-2022-39362",
      "lastModified": "2024-11-21T07:18:07.203",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2022-10-26T19:15:15.800",
      "references": "[{\"url\": \"https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-356\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-39362\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-10-26T19:15:15.800\",\"lastModified\":\"2024-11-21T07:18:07.203\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.\"},{\"lang\":\"es\",\"value\":\"Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, eran auto ejecutadas las consultas SQL no guardadas, lo que pod\u00eda suponer un posible vector de ataque. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no ejecuta autom\u00e1ticamente las consultas nativas ad hoc. Ahora el editor nativo muestra la consulta y da al usuario la opci\u00f3n de ejecutarla manualmente si lo desea\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-356\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.41.0\",\"versionEndExcluding\":\"0.41.9\",\"matchCriteriaId\":\"BCD50540-E323-41CE-9D9C-EDA8CB718E42\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.42.0\",\"versionEndExcluding\":\"0.42.6\",\"matchCriteriaId\":\"EF01C7BF-CB4C-4990-9082-587CFD555225\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.43.0\",\"versionEndExcluding\":\"0.43.7\",\"matchCriteriaId\":\"8858058E-C597-4752-8625-9B279DC65A48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.44.0\",\"versionEndExcluding\":\"0.44.5\",\"matchCriteriaId\":\"6A94F7EA-BC18-4013-9A93-7962226FDD98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.41.0\",\"versionEndExcluding\":\"1.41.9\",\"matchCriteriaId\":\"804B84E1-5D1A-4251-9829-65F5FD927D99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.42.0\",\"versionEndExcluding\":\"1.42.6\",\"matchCriteriaId\":\"73310924-8CD4-4696-89B9-EED3390375A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.43.0\",\"versionEndExcluding\":\"1.43.7\",\"matchCriteriaId\":\"A86AA0C8-2C4F-4DDD-8371-6B43611E2479\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.44.0\",\"versionEndExcluding\":\"1.44.5\",\"matchCriteriaId\":\"EF7A60F6-5062-4094-91A5-71445F9B7BC1\"}]}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.