CVE-2022-39362

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-39362

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39362.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-39362

Aliases

GHSA-93wj-fgjg-r238

Published

2022-10-26T00:00:00Z

Modified

2025-11-28T04:56:42.769646Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Metabase vulnerable to arbitrary SQL execution from queryhash

Details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39362.json",
    "cwe_ids": [
        "CWE-356"
    ]
}

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

Fixed

8dec3afd342cd843f151eef34a358ae5f8e551d0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.41.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

de1264e1b2c3516181a3e115803abe32b74a1b7b

Fixed

3a05e6289b7ba09c2c687bac95e176043ea35362

Database specific

{
    "versions": [
        {
            "introduced": "0.42.0"
        },
        {
            "fixed": "0.42.6"
        },
        {
            "introduced": "1.42.0"
        },
        {
            "fixed": "1.42.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

ee686fcfe5a006e228090a150365d4495bbb549c

Fixed

053b484db79f4d4b6f29536618a77c577f6705d9

Database specific

{
    "versions": [
        {
            "introduced": "0.43.0"
        },
        {
            "fixed": "0.43.7"
        },
        {
            "introduced": "1.43.0"
        },
        {
            "fixed": "1.43.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

d3700f5368dc0b0c51b42adc293c6458766c948b

Fixed

29fab4d4a06e77e68e227690636986534ba83275

Database specific

{
    "versions": [
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.5"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.5"
        }
    ]
}

Affected versions

0.*

0.10.3

0.34.0-rc1

Other

blah

v20150601-alpha

v20150603-alpha

v20150604-alpha

prettier-1.*

prettier-1.17.0-package

release-0.*

release-0.32.2

v0.*

v0.10.0

v0.10.3

v0.10.4

v0.10.4.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.0-test

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.0-rc2

v0.21.0-rc3

v0.21.1

v0.22.0

v0.22.1

v0.23.0

v0.23.0.RC2

v0.23.0.RC3

v0.23.0.RC4

v0.23.1

v0.24.0

v0.24.0.RC1

v0.24.0.RC2

v0.24.0.RC3

v0.24.0.RC4

v0.24.1

v0.24.2

v0.25.0

v0.25.0.RC1

v0.25.0.RC2

v0.26.0

v0.26.0.RC1

v0.26.0.RC2

v0.26.1

v0.28.0

v0.28.0-RC

v0.28.0-RC2

v0.28.0-RC3

v0.28.0.RC1

v0.28.1

v0.29.0

v0.29.0-RC1

v0.29.1

v0.29.2

v0.29.3

v0.30.0

v0.30.0-rc

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.31.0

v0.31.0-RC1

v0.31.1

v0.31.2

v0.32.0

v0.32.0-RC1

v0.32.0-RC2

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.32.5

v0.32.6

v0.32.7

v0.32.8

v0.33.0

v0.33.0-RC1

v0.33.1

v0.33.2

v0.33.3

v0.33.4

v0.33.5

v0.33.5.1

v0.33.6

v0.33.7

v0.33.7.1

v0.33.7.2

v0.33.7.3

v0.34.0

v0.34.1

v0.34.1-rc-test

v0.34.2

v0.34.3

v0.35.0

v0.35.0-rc1

v0.35.0-rc2

v0.35.1

v0.35.2

v0.35.3

v0.35.4

v0.36.0

v0.36.0-rc1

v0.36.0-snapshot

v0.36.1

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.36.5.1

v0.36.6

v0.36.7

v0.36.8

v0.36.8.1

v0.37.0

v0.37.0-rc2

v0.37.0.1

v0.37.0.2

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.37.6

v0.37.7

v0.37.8

v0.38.0

v0.38.0-preview

v0.38.0-rc1

v0.38.0-rc2

v0.38.0-rc3

v0.38.0-rc4

v0.38.0-rc5

v0.38.0.1

v0.38.1

v0.38.2

v0.38.3

v0.38.4

v0.39.0

v0.39.0-rc1

v0.39.0-rc2

v0.39.0.1

v0.39.1

v0.39.2

v0.39.3

v0.39.4

v0.40.0

v0.40.0-rc1-dan

v0.40.0-rc2

v0.41.0

v0.41.0-RC1

v0.41.1

v0.41.2

v0.41.3

v0.41.3.1

v0.41.5

v0.41.6

v0.41.7

v0.41.8

v0.42.0

v0.42.1

v0.42.2

v0.42.3

v0.42.4

v0.42.4.1

v0.42.5

v0.43.0

v0.43.1

v0.43.2

v0.43.3

v0.43.4

v0.43.4.1

v0.43.4.2

v0.43.5

v0.43.6

v0.44.0

v0.44.1

v0.44.2

v0.44.3

v0.44.4

v0.9-final

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.37.0.2

v1.37.1

v1.37.1.1

v1.37.1.2

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.37.7

v1.37.8

v1.38.0

v1.38.0.1

v1.38.1

v1.38.1-migration

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.0.1

v1.39.1

v1.39.2

v1.39.3

v1.39.4

v1.40.0

v1.40.0-rc2

v1.41.0

v1.41.0-RC1

v1.41.1

v1.41.2

v1.41.3

v1.41.3.1

v1.41.5

v1.41.6

v1.41.7

v1.41.8

v1.42.0

v1.42.1

v1.42.2

v1.42.3

v1.42.4

v1.42.4.1

v1.42.5

v1.43.0

v1.43.1

v1.43.2

v1.43.3

v1.43.4

v1.43.4.1

v1.43.4.2

v1.43.5

v1.43.6

v1.44.0

v1.44.1

v1.44.2

v1.44.3

v1.44.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39362.json"