VYPR
Unrated severityNVD Advisory· Published Oct 26, 2022· Updated Apr 23, 2025

Metabase vulnerable to Remote Code Execution via H2

CVE-2022-39361

Description

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Metabase/Metabasellm-fuzzy2 versions
    <0.44.5 or <1.44.5 or <0.43.7 or <1.43.7 or <0.42.6 or <1.42.6 or <0.41.9 or <1.41.9+ 1 more
    • (no CPE)range: <0.44.5 or <1.44.5 or <0.43.7 or <1.43.7 or <0.42.6 or <1.42.6 or <0.41.9 or <1.41.9
    • (no CPE)range: < 0.41.9

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.