CVE-2022-39358
Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.
Metabase es un software de visualización de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6, era posible omitir los parámetros bloqueados cuando se solicitaban datos para una pregunta en un tablero de mando insertado al construir una petición maliciosa al backend. Este problema está parcheado en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-09-02 CVE Reserved
- 2022-10-26 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-667: Improper Locking
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.42.0 < 0.42.6 Search vendor "Metabase" for product "Metabase" and version " >= 0.42.0 < 0.42.6" | - |
Affected
| ||||||
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.43.0 < 0.43.7 Search vendor "Metabase" for product "Metabase" and version " >= 0.43.0 < 0.43.7" | - |
Affected
| ||||||
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.44.0 < 0.44.5 Search vendor "Metabase" for product "Metabase" and version " >= 0.44.0 < 0.44.5" | - |
Affected
| ||||||
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.42.0 < 1.42.6 Search vendor "Metabase" for product "Metabase" and version " >= 1.42.0 < 1.42.6" | - |
Affected
| ||||||
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.43.0 < 1.43.7 Search vendor "Metabase" for product "Metabase" and version " >= 1.43.0 < 1.43.7" | - |
Affected
| ||||||
| Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.44.0 < 1.44.5 Search vendor "Metabase" for product "Metabase" and version " >= 1.44.0 < 1.44.5" | - |
Affected
| ||||||