Cyber Resilience

CVE-2022-39362

High

Published: 26 October 2022

Published
26 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 62.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39362 is a high-severity Product UI does not Warn User of Unsafe Actions (CWE-356) vulnerability in Metabase Metabase. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6,…

more

1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

metabase
metabase
0.41.0 — 0.41.9 · 0.42.0 — 0.42.6 · 0.43.0 — 0.43.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-356

Mandates explicit user-visible indication, directly countering absence of warnings for device activation.

References