Headline
CVE-2022-39361: Remote Code Execution via H2
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.
Package
Metabase OSS and Enterprise (Metabase)
Affected versions
<x.44.5,<x.43.7,<x.42.6,<x.41.9
Patched versions
0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9
Description
Impact
H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases.
Patches
The following patches (or greater versions) are available:
- 0.44.5 and 1.44.5,
- 0.43.7 and 1.43.7,
- 0.42.6 and 1.42.6,
- 0.41.9 and 1.41.9
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase no longer allows DDL statements in H2 native queries.
Credits
Reported by https://github.com/abrahack via security@ email, with additional details provided by https://github.com/jasiam.