Detections
Analytics

Metabase 0.41.x < 0.41.9 / 0.42.x < 0.42.6 / 0.43.x < 0.43.7 / 0.44.x < 0.44.5 / 1.41.x < 1.41.9 / 1.42.x < 1.42.6 / 1.43.x < 1.43.7 / 1.44.x < 1.44.5

high Nessus Plugin ID 261766

Language:

Synopsis

The remote host is affected by a vulnerability.

Description

The version of Metabase installed on the remote host is affected by multiple vulnerabilities:
- a H2 (Sample Database) Remote Code Execution (RCE), which can be abused by users able to write SQL queries on the H2 databases. Metabase fixed this issue to no longer allow DDL statements in H2 native queries.

 - Unsaved SQL queries are auto-executed, which could pose a possible attack vector. Metabase no longer automatically executes ad-hoc native queries.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Metabase version 0.41.9, 0.42.6, 0.43.7, 0.44.5, 1.41.9, 1.42.6, 1.43.7, 1.44.5, or later.

See Also

http://www.nessus.org/u?b6fd8b92

http://www.nessus.org/u?976ba82a

http://www.nessus.org/u?480df798

Plugin Details

Severity: High

ID: 261766

File Name: metabase_CVE-2022-39361.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 9/9/2025

Updated: 9/9/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-39361

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:metabase:metabase

Required KB Items: installed_sw/Metabase

Patch Publication Date: 10/26/2022

Vulnerability Publication Date: 10/26/2022

Reference Information

CVE: CVE-2022-39361, CVE-2022-39362