{"id":"CVE-2022-39362","summary":"Metabase vulnerable to arbitrary SQL execution from queryhash","details":"Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.","aliases":["GHSA-93wj-fgjg-r238"],"modified":"2026-04-10T04:50:23.235900Z","published":"2022-10-26T00:00:00Z","database_specific":{"cwe_ids":["CWE-356"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39362.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39362.json"},{"type":"ADVISORY","url":"https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39362"},{"type":"FIX","url":"https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"0"},{"fixed":"8dec3afd342cd843f151eef34a358ae5f8e551d0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.41.9"},{"introduced":"1.0.0"},{"fixed":"1.41.9"}]}},{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"de1264e1b2c3516181a3e115803abe32b74a1b7b"},{"fixed":"3a05e6289b7ba09c2c687bac95e176043ea35362"}],"database_specific":{"versions":[{"introduced":"0.42.0"},{"fixed":"0.42.6"},{"introduced":"1.42.0"},{"fixed":"1.42.6"}]}},{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"ee686fcfe5a006e228090a150365d4495bbb549c"},{"fixed":"053b484db79f4d4b6f29536618a77c577f6705d9"}],"database_specific":{"versions":[{"introduced":"0.43.0"},{"fixed":"0.43.7"},{"introduced":"1.43.0"},{"fixed":"1.43.7"}]}},{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"d3700f5368dc0b0c51b42adc293c6458766c948b"},{"fixed":"29fab4d4a06e77e68e227690636986534ba83275"}],"database_specific":{"versions":[{"introduced":"0.44.0"},{"fixed":"0.44.5"},{"introduced":"1.44.0"},{"fixed":"1.44.5"}]}}],"versions":["0.10.3","0.34.0-rc1","blah","v0.10.0","v0.10.3","v0.10.4","v0.10.4.1","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.12.0-test","v0.13.0","v0.26.0.RC1","v0.35.0","v0.35.0-rc1","v0.35.0-rc2","v0.36.0-snapshot","v0.37.0-rc2","v0.38.0-preview","v0.38.0-rc1","v0.38.0-rc2","v0.38.0-rc3","v0.38.0-rc4","v0.40.0","v0.40.0-rc1-dan","v0.40.0-rc2","v0.41.0","v0.41.0-RC1","v0.41.1","v0.41.2","v0.41.3","v0.41.3.1","v0.41.5","v0.41.6","v0.41.7","v0.41.8","v0.42.0","v0.42.1","v0.42.2","v0.42.3","v0.42.4","v0.42.4.1","v0.42.5","v0.43.0","v0.43.1","v0.43.2","v0.43.3","v0.43.4","v0.43.4.1","v0.43.4.2","v0.43.5","v0.43.6","v0.44.0","v0.44.1","v0.44.2","v0.44.3","v0.44.4","v0.9-final","v1.40.0","v1.40.0-rc2","v1.41.0","v1.41.0-RC1","v1.41.1","v1.41.2","v1.41.3","v1.41.3.1","v1.41.5","v1.41.6","v1.41.7","v1.41.8","v1.42.0","v1.42.1","v1.42.2","v1.42.3","v1.42.4","v1.42.4.1","v1.42.5","v1.43.0","v1.43.1","v1.43.2","v1.43.3","v1.43.4","v1.43.4.1","v1.43.4.2","v1.43.5","v1.43.6","v1.44.0","v1.44.1","v1.44.2","v1.44.3","v1.44.4","v20150601-alpha","v20150603-alpha","v20150604-alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39362.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}