VYPR
Unrated severityNVD Advisory· Published Oct 26, 2022· Updated Apr 23, 2025

Metabase vulnerable to circumvention of Locked parameter in Signed Embedding

CVE-2022-39358

Description

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Metabase/Metabasellm-fuzzy2 versions
    <0.42.6 || (>=0.43.0 <0.43.7) || (>=0.44.0 <0.44.5) || >=1.42.0 <1.42.6 || (>=1.43.0 <1.43.7) || (>=1.44.0 <1.44.5)+ 1 more
    • (no CPE)range: <0.42.6 || (>=0.43.0 <0.43.7) || (>=0.44.0 <0.44.5) || >=1.42.0 <1.42.6 || (>=1.43.0 <1.43.7) || (>=1.44.0 <1.44.5)
    • (no CPE)range: < 0.42.6

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.