CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39361 – Metabase vulnerable to Remote Code Execution via H2
https://notcve.org/view.php?id=CVE-2022-39361
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries. Metabase es un software de visualización de datos. • https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v • CWE-20: Improper Input Validation CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39360 – Metabase SSO users able to circumvent IdP login by doing password reset
https://notcve.org/view.php?id=CVE-2022-39360
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login. Metabase es un software de visualización de datos. • https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730 https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-39358 – Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
https://notcve.org/view.php?id=CVE-2022-39358
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6. Metabase es un software de visualización de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6, era posible omitir los parámetros bloqueados cuando se solicitaban datos para una pregunta en un tablero de mando insertado al construir una petición maliciosa al backend. • https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-667: Improper Locking •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39362 – Metabase vulnerable to arbitrary SQL execution from queryhash
https://notcve.org/view.php?id=CVE-2022-39362
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want. • https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238 • CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39359 – Metabase's GeoJSON validation doesn't prevent redirects to blocked URLs
https://notcve.org/view.php?id=CVE-2022-39359
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default). • https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •