Detections
Analytics

Metabase 0.41.x < 0.41.7 / 0.42.x < 0.42.4 / 1.41.x < 1.41.7 / 1.42.x < 1.42.4

high Nessus Plugin ID 261775

Language:

Synopsis

The remote host is affected by a vulnerability.

Description

The version of Metabase installed on the remote host is prior to Unknown. It is, therefore, affected by a Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.

 Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Metabase version Unknown or later.

See Also

http://www.nessus.org/u?e99daf52

Plugin Details

Severity: High

ID: 261775

File Name: metabase_CVE-2022-24854.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 9/9/2025

Updated: 9/9/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-24854

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:metabase:metabase

Required KB Items: installed_sw/Metabase

Patch Publication Date: 4/14/2022

Vulnerability Publication Date: 4/14/2022

Reference Information

CVE: CVE-2022-24854

CWE: CWE-610