CVE-2022-39361

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-39361

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39361.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-39361

Aliases

GHSA-gqpj-wcr3-p88v

Published

2022-10-26T00:00:00Z

Modified

2026-02-15T03:12:32.134710Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Metabase vulnerable to Remote Code Execution via H2

Details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39361.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-441"
    ]
}

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

Fixed

8dec3afd342cd843f151eef34a358ae5f8e551d0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.41.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

de1264e1b2c3516181a3e115803abe32b74a1b7b

Fixed

3a05e6289b7ba09c2c687bac95e176043ea35362

Database specific

{
    "versions": [
        {
            "introduced": "0.42.0"
        },
        {
            "fixed": "0.42.6"
        },
        {
            "introduced": "1.42.0"
        },
        {
            "fixed": "1.42.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

ee686fcfe5a006e228090a150365d4495bbb549c

Fixed

053b484db79f4d4b6f29536618a77c577f6705d9

Database specific

{
    "versions": [
        {
            "introduced": "0.43.0"
        },
        {
            "fixed": "0.43.7"
        },
        {
            "introduced": "1.43.0"
        },
        {
            "fixed": "1.43.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

d3700f5368dc0b0c51b42adc293c6458766c948b

Fixed

29fab4d4a06e77e68e227690636986534ba83275

Database specific

{
    "versions": [
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.5"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.5"
        }
    ]
}

Affected versions

0.*

0.10.3

0.34.0-rc1

Other

blah

v20150601-alpha

v20150603-alpha

v20150604-alpha

prettier-1.*

prettier-1.17.0-package

release-0.*

release-0.32.2

v0.*

v0.10.0

v0.10.3

v0.10.4

v0.10.4.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.0-test

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.0-rc2

v0.21.0-rc3

v0.21.1

v0.22.0

v0.22.1

v0.23.0

v0.23.0.RC2

v0.23.0.RC3

v0.23.0.RC4

v0.23.1

v0.24.0

v0.24.0.RC1

v0.24.0.RC2

v0.24.0.RC3

v0.24.0.RC4

v0.24.1

v0.24.2

v0.25.0

v0.25.0.RC1

v0.25.0.RC2

v0.26.0

v0.26.0.RC1

v0.26.0.RC2

v0.26.1

v0.28.0

v0.28.0-RC

v0.28.0-RC2

v0.28.0-RC3

v0.28.0.RC1

v0.28.1

v0.29.0

v0.29.0-RC1

v0.29.1

v0.29.2

v0.29.3

v0.30.0

v0.30.0-rc

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.31.0

v0.31.0-RC1

v0.31.1

v0.31.2

v0.32.0

v0.32.0-RC1

v0.32.0-RC2

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.32.5

v0.32.6

v0.32.7

v0.32.8

v0.33.0

v0.33.0-RC1

v0.33.1

v0.33.2

v0.33.3

v0.33.4

v0.33.5

v0.33.5.1

v0.33.6

v0.33.7

v0.33.7.1

v0.33.7.2

v0.33.7.3

v0.34.0

v0.34.1

v0.34.1-rc-test

v0.34.2

v0.34.3

v0.35.0

v0.35.0-rc1

v0.35.0-rc2

v0.35.1

v0.35.2

v0.35.3

v0.35.4

v0.36.0

v0.36.0-rc1

v0.36.0-snapshot

v0.36.1

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.36.5.1

v0.36.6

v0.36.7

v0.36.8

v0.36.8.1

v0.37.0

v0.37.0-rc2

v0.37.0.1

v0.37.0.2

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.37.6

v0.37.7

v0.37.8

v0.38.0

v0.38.0-preview

v0.38.0-rc1

v0.38.0-rc2

v0.38.0-rc3

v0.38.0-rc4

v0.38.0-rc5

v0.38.0.1

v0.38.1

v0.38.2

v0.38.3

v0.38.4

v0.39.0

v0.39.0-rc1

v0.39.0-rc2

v0.39.0.1

v0.39.1

v0.39.2

v0.39.3

v0.39.4

v0.40.0

v0.40.0-rc1-dan

v0.40.0-rc2

v0.41.0

v0.41.0-RC1

v0.41.1

v0.41.2

v0.41.3

v0.41.3.1

v0.41.5

v0.41.6

v0.41.7

v0.41.8

v0.42.0

v0.42.1

v0.42.2

v0.42.3

v0.42.4

v0.42.4.1

v0.42.5

v0.43.0

v0.43.1

v0.43.2

v0.43.3

v0.43.4

v0.43.4.1

v0.43.4.2

v0.43.5

v0.43.6

v0.44.0

v0.44.1

v0.44.2

v0.44.3

v0.44.4

v0.9-final

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.37.0.2

v1.37.1

v1.37.1.1

v1.37.1.2

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.37.7

v1.37.8

v1.38.0

v1.38.0.1

v1.38.1

v1.38.1-migration

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.0.1

v1.39.1

v1.39.2

v1.39.3

v1.39.4

v1.40.0

v1.40.0-rc2

v1.41.0

v1.41.0-RC1

v1.41.1

v1.41.2

v1.41.3

v1.41.3.1

v1.41.5

v1.41.6

v1.41.7

v1.41.8

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.4.1

v1.42.5

v1.43.0

v1.43.1

v1.43.2

v1.43.3

v1.43.4

v1.43.4.1

v1.43.4.2

v1.43.5

v1.43.6

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39361.json"