CVE-2022-39358: Metabase Data Visualization Software Vulnerability Found in Earlier Versions - Bypassing Locked Parameters.

Metabase is a popular open-source data visualization software that allows users to easily create and share visualizations, charts, and tables from their data. However, a recent vulnerability has been discovered in versions prior to .44.5, 1.44.5, .43.7, 1.43.7, .42.6, and 1.42.6, where it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard. This vulnerability has been assigned the CVE identifier CVE-2022-39358 and has been patched in the latest versions of the software.

Exploit Details

An attacker could exploit this vulnerability by constructing a malicious request to the backend, thereby bypassing the locked parameters and potentially gaining unauthorized access to sensitive data. To further illustrate this, let's consider an example where an attacker manipulates the GET request for an embedded dashboard:

# Malicious request example
import requests

url = "https://example.metabase.com/embed/dashboard/<TOKEN>";
headers = {"Content-Type": "application/json"}
payload = {
    "parameters": [
        {
            "type": "date",
            "target": ["dimension", ["field-id", 123]],
            "value": "202-01-01"
        }
    ]
}

response = requests.get(url, headers=headers, json=payload)
print(response.text)

In this example, the attacker sends a GET request with manipulated parameters to access data they should not have access to. Prior to the patched version, the Metabase backend would process this request and return the requested data, even if that data was supposed to be restricted by locked parameters.

1.42.6

To protect against this vulnerability, it is highly recommended that users upgrade to one of these patched versions immediately. You can download the latest Metabase version from the official website:

- Metabase Download Page

For those who use Metabase through Docker, you can update to the latest version by pulling the latest image from the Docker repository:

docker pull metabase/metabase

After upgrading to the patched version, users can rest assured knowing their data is safe from this specific exploit.

To learn more about this vulnerability, you can refer to the following resources

- CVE-2022-39358 in the National Vulnerability Database
- Metabase GitHub Issue discussing the vulnerability
- Metabase Security Advisory

Conclusion

As with any software, it's important to stay up-to-date with the latest security patches to protect your data. The recent CVE-2022-39358 vulnerability exposed a weakness in earlier versions of Metabase, allowing attackers to bypass locked parameters when requesting data from an embedded dashboard. This issue has since been patched, and users should upgrade to one of the available fixed versions as soon as possible. By staying aware of security vulnerabilities and keeping software updated, we can mitigate risks and ensure the protection of sensitive information in our data visualizations.

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 16:04:00 UTC