Skip to main content

Metabase CVE-2022-24854

HIGH
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
2022-04-14 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 14, 2022 - 22:15 nvd
HIGH 8.8

DescriptionNVD

Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument ?limit_attached=0, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.

AnalysisAI

Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-610. Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument ?limit_attached=0, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected. Affected products include: Metabase.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-38646 CRITICAL POC
9.8 Jul 21

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman

CVE-2021-41277 HIGH POC
7.5 Nov 17

Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2022-43776 MEDIUM POC
6.5 Oct 26

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For

CVE-2026-50148 CRITICAL
10.0 Jul 15

Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release

CVE-2023-37470 CRITICAL
9.8 Aug 04

Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-32680 CRITICAL
9.6 May 18

Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely

CVE-2022-24853 MEDIUM POC
5.3 Apr 14

Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-59827 HIGH
8.8 Jul 09

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run

CVE-2022-39362 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-39361 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2026-27464 HIGH
7.7 Feb 21

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi

CVE-2026-50147 HIGH
7.6 Jul 15

Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat

Share

CVE-2022-24854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy