CVE-2022-39358

Source
https://cve.org/CVERecord?id=CVE-2022-39358
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39358.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39358
Aliases
  • GHSA-8qgm-9mj6-36h3
Published
2022-10-26T00:00:00Z
Modified
2026-07-15T01:48:58.746295982Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
Details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39358.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type
GIT
Repo
https://github.com/metabase/metabase
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.42.0"
        },
        {
            "fixed": "0.42.6"
        },
        {
            "introduced": "1.42.0"
        },
        {
            "fixed": "1.42.6"
        },
        {
            "introduced": "0.43.0"
        },
        {
            "fixed": "0.43.7"
        },
        {
            "introduced": "1.43.0"
        },
        {
            "fixed": "1.43.7"
        },
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.5"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.5"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*
v0.42.0
v0.42.1
v0.42.2
v0.42.3
v0.42.4
v0.42.4.1
v0.42.5
v0.43.0
v0.43.1
v0.43.2
v0.43.3
v0.43.4
v0.43.4.1
v0.43.4.2
v0.43.5
v0.43.6
v0.44.0
v0.44.1
v0.44.2
v0.44.3
v0.44.4
v1.*
v1.42.0
v1.42.1
v1.42.2
v1.42.3
v1.42.4
v1.42.4.1
v1.42.5
v1.43.0
v1.43.1
v1.43.2
v1.43.3
v1.43.4
v1.43.4.1
v1.43.4.2
v1.43.5
v1.43.6
v1.44.0
v1.44.1
v1.44.2
v1.44.3
v1.44.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39358.json"