CVE-2022-39358

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.44.5 Metabase versions prior to 1.44.5 Metabase versions prior to 0.43.7 Metabase versions prior to 1.43.7 Metabase versions prior to 0.42.6 Metabase versions prior to 1.42.6

Description The issue allows circumvention of locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend.

Recommendations For Metabase versions prior to 0.44.5, update to version 0.44.5 or later. For Metabase versions prior to 1.44.5, update to version 1.44.5 or later. For Metabase versions prior to 0.43.7, update to version 0.43.7 or later. For Metabase versions prior to 1.43.7, update to version 1.43.7 or later. For Metabase versions prior to 0.42.6, update to version 0.42.6 or later. For Metabase versions prior to 1.42.6, update to version 1.42.6 or later.

Exploit

Fix

Information Disclosure

Improper Locking

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-667

Related Identifiers

CVE-2022-39358

GHSA-8QGM-9MJ6-36H3

Affected Products

Metabase

CVE-2022-39358

Weakness Enumeration

Related Identifiers

Affected Products

References · 4