CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39362 – Metabase vulnerable to arbitrary SQL execution from queryhash
https://notcve.org/view.php?id=CVE-2022-39362
26 Oct 2022 — Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want. • https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c • CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 5.9EPSS: 6%CPEs: 6EXPL: 2CVE-2022-24853 – File system exposure in Metabase
https://notcve.org/view.php?id=CVE-2022-24853
14 Apr 2022 — Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade i... • https://github.com/secure-77/CVE-2022-24853 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-24854 – Database bypassing any permissions in Metabase via SQlite attach
https://notcve.org/view.php?id=CVE-2022-24854
14 Apr 2022 — Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as ... • https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 8.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24855 – XSS vulnerability in Metabase
https://notcve.org/view.php?id=CVE-2022-24855
14 Apr 2022 — Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.4... • https://github.com/metabase/metabase/releases/tag/v0.42.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 10EXPL: 13CVE-2021-41277 – Metabase GeoJSON API Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2021-41277
17 Nov 2021 — Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your ... • https://github.com/tahtaciburak/CVE-2021-41277 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •