VYPR
Unrated severityNVD Advisory· Published Oct 26, 2022· Updated Apr 23, 2025

Metabase vulnerable to arbitrary SQL execution from queryhash

CVE-2022-39362

Description

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Metabase/Metabasellm-fuzzy2 versions
    <=0.41.9, <=0.42.6, <=0.43.7, <=0.44.5, and equivalent 1.x series+ 1 more
    • (no CPE)range: <=0.41.9, <=0.42.6, <=0.43.7, <=0.44.5, and equivalent 1.x series
    • (no CPE)range: < 0.41.9

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.