Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39358.json",
"cwe_ids": [
"CWE-200"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0.42.0"
},
{
"fixed": "0.42.6"
},
{
"introduced": "1.42.0"
},
{
"fixed": "1.42.6"
},
{
"introduced": "0.43.0"
},
{
"fixed": "0.43.7"
},
{
"introduced": "1.43.0"
},
{
"fixed": "1.43.7"
},
{
"introduced": "0.44.0"
},
{
"fixed": "0.44.5"
},
{
"introduced": "1.44.0"
},
{
"fixed": "1.44.5"
}
],
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*"
}