Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
The product’s user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Metabase | Metabase | 0.41.0 (including) | 0.41.9 (excluding) |
| Metabase | Metabase | 0.42.0 (including) | 0.42.6 (excluding) |
| Metabase | Metabase | 0.43.0 (including) | 0.43.7 (excluding) |
| Metabase | Metabase | 0.44.0 (including) | 0.44.5 (excluding) |
| Metabase | Metabase | 1.41.0 (including) | 1.41.9 (excluding) |
| Metabase | Metabase | 1.42.0 (including) | 1.42.6 (excluding) |
| Metabase | Metabase | 1.43.0 (including) | 1.43.7 (excluding) |
| Metabase | Metabase | 1.44.0 (including) | 1.44.5 (excluding) |