CVE-2022-39358

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39358

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39358.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39358

Aliases

GHSA-8qgm-9mj6-36h3

Published

2022-10-26T00:00:00Z

Modified

2025-12-04T10:37:30.015074Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Metabase vulnerable to circumvention of Locked parameter in Signed Embedding

Details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39358.json",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

Fixed

3a05e6289b7ba09c2c687bac95e176043ea35362

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.42.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

ee686fcfe5a006e228090a150365d4495bbb549c

Fixed

053b484db79f4d4b6f29536618a77c577f6705d9

Database specific

{
    "versions": [
        {
            "introduced": "0.43.0"
        },
        {
            "fixed": "0.43.7"
        },
        {
            "introduced": "1.43.0"
        },
        {
            "fixed": "1.43.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

d3700f5368dc0b0c51b42adc293c6458766c948b

Fixed

29fab4d4a06e77e68e227690636986534ba83275

Database specific

{
    "versions": [
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.5"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.5"
        }
    ]
}

Affected versions

0.*

0.10.3

0.34.0-rc1

Other

blah

v20150601-alpha

v20150603-alpha

v20150604-alpha

prettier-1.*

prettier-1.17.0-package

release-0.*

release-0.32.2

v0.*

v0.10.0

v0.10.3

v0.10.4

v0.10.4.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.0-test

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.0-rc2

v0.21.0-rc3

v0.21.1

v0.22.0

v0.22.1

v0.23.0

v0.23.0.RC2

v0.23.0.RC3

v0.23.0.RC4

v0.23.1

v0.24.0

v0.24.0.RC1

v0.24.0.RC2

v0.24.0.RC3

v0.24.0.RC4

v0.24.1

v0.24.2

v0.25.0

v0.25.0.RC1

v0.25.0.RC2

v0.26.0

v0.26.0.RC1

v0.26.0.RC2

v0.26.1

v0.28.0

v0.28.0-RC

v0.28.0-RC2

v0.28.0-RC3

v0.28.0.RC1

v0.28.1

v0.29.0

v0.29.0-RC1

v0.29.1

v0.29.2

v0.29.3

v0.30.0

v0.30.0-rc

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.31.0

v0.31.0-RC1

v0.31.1

v0.31.2

v0.32.0

v0.32.0-RC1

v0.32.0-RC2

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.32.5

v0.32.6

v0.32.7

v0.32.8

v0.33.0

v0.33.0-RC1

v0.33.1

v0.33.2

v0.33.3

v0.33.4

v0.33.5

v0.33.5.1

v0.33.6

v0.33.7

v0.33.7.1

v0.33.7.2

v0.33.7.3

v0.34.0

v0.34.1

v0.34.1-rc-test

v0.34.2

v0.34.3

v0.35.0

v0.35.0-rc1

v0.35.0-rc2

v0.35.1

v0.35.2

v0.35.3

v0.35.4

v0.36.0

v0.36.0-rc1

v0.36.0-snapshot

v0.36.1

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.36.5.1

v0.36.6

v0.36.7

v0.36.8

v0.36.8.1

v0.37.0

v0.37.0-rc2

v0.37.0.1

v0.37.0.2

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.37.6

v0.37.7

v0.37.8

v0.38.0

v0.38.0-preview

v0.38.0-rc1

v0.38.0-rc2

v0.38.0-rc3

v0.38.0-rc4

v0.38.0-rc5

v0.38.0.1

v0.38.1

v0.38.2

v0.38.3

v0.38.4

v0.39.0

v0.39.0-rc1

v0.39.0-rc2

v0.39.0.1

v0.39.1

v0.39.2

v0.39.3

v0.39.4

v0.40.0

v0.40.0-rc1-dan

v0.40.0-rc2

v0.41.0-RC1

v0.42.0

v0.42.0-preview1

v0.42.0-rc2

v0.42.1

v0.42.2

v0.42.3

v0.42.4

v0.42.4.1

v0.42.5

v0.43.0

v0.43.1

v0.43.2

v0.43.3

v0.43.4

v0.43.4.1

v0.43.4.2

v0.43.5

v0.43.6

v0.44.0

v0.44.1

v0.44.2

v0.44.3

v0.44.4

v0.9-final

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.37.0.2

v1.37.1

v1.37.1.1

v1.37.1.2

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.37.7

v1.37.8

v1.38.0

v1.38.0.1

v1.38.1

v1.38.1-migration

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.0.1

v1.39.1

v1.39.2

v1.39.3

v1.39.4

v1.40.0

v1.40.0-rc2

v1.41.0-RC1

v1.42.0

v1.42.0-preview1

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.4.1

v1.42.5

v1.43.0

v1.43.1

v1.43.2

v1.43.3

v1.43.4

v1.43.4.1

v1.43.4.2

v1.43.5

v1.43.6

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39358.json"