Login Sign Up

CVE-2022-24854

8.0 HIGH

📋 TL;DR

This vulnerability in Metabase allows attackers with SQL permissions on one SQLite database to attach and query across multiple SQLite databases if they know the file paths. Only Metabase users utilizing SQLite databases are affected by this cross-database query capability.

💻 Affected Systems

Products:
  • Metabase
Versions: All versions prior to v0.43.7.2 and v1.43.7.2
Operating Systems: All operating systems running Metabase
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Metabase installations using SQLite databases. PostgreSQL, MySQL, and other database backends are not affected.

📦 What is this software?

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data exfiltration across all attached SQLite databases, potentially exposing sensitive business intelligence data, customer information, or proprietary analytics.

🟠

Likely Case

Unauthorized data access and potential data leakage between SQLite databases used within the same Metabase instance.

🟢

If Mitigated

Limited to authorized database access only, with no cross-database query capability.

🌐 Internet-Facing: MEDIUM - Requires SQL permissions and knowledge of database file paths, but internet-facing instances increase attack surface.
🏢 Internal Only: MEDIUM - Internal attackers with SQL permissions could exploit this to access unauthorized databases within the same Metabase instance.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires SQL permissions on at least one database and knowledge of target database file paths. The ATTACH DATABASE SQL command is well-documented and straightforward to use.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.43.7.2 and v1.43.7.2

Vendor Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329

Restart Required: Yes

Instructions:

1. Backup your Metabase instance and databases. 2. Download and install Metabase v0.43.7.2 or v1.43.7.2 from the official repository. 3. Restart the Metabase service. 4. Verify the version is updated and functionality is working correctly.

🔧 Temporary Workarounds

SQLite Connection String Modification

all

Add limit_attached=0 parameter to SQLite connection strings to disable ATTACH DATABASE functionality

Modify SQLite connection strings to include: ?limit_attached=0

🧯 If You Can't Patch

  • Implement strict access controls to limit SQL permissions and database file path knowledge
  • Migrate from SQLite to PostgreSQL, MySQL, or other database backends not affected by this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check Metabase version: if using SQLite and version is below v0.43.7.2 or v1.43.7.2, the system is vulnerable.

Check Version:

Check Metabase admin settings or run: java -jar metabase.jar version

Verify Fix Applied:

Verify Metabase version is v0.43.7.2 or v1.43.7.2 or higher, and test that ATTACH DATABASE SQL commands are properly restricted.

📡 Detection & Monitoring

Log Indicators:

  • SQL queries containing ATTACH DATABASE commands
  • Unusual cross-database query patterns

Network Indicators:

  • Increased database query traffic from single users
  • Unusual data access patterns across database boundaries

SIEM Query:

source="metabase" AND ("ATTACH DATABASE" OR "DETACH DATABASE")

📊 Metadata

CVE ID: CVE-2022-24854
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-610
Published: April 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24854, you might also want to check these:

CVE-2025-22144 9.8

This vulnerability in NamelessMC allows attackers with admincp.core.emails or admincp.users.edit per...

Same vulnerability type (CWE-610)
CVE-2021-44041 9.8

This vulnerability in UiPath Assistant allows attackers to execute arbitrary code or capture NTLM cr...

Same vulnerability type (CWE-610)
CVE-2021-41244 9.1

This vulnerability in Grafana allows organization administrators to access and modify users in other...

Same vulnerability type (CWE-610)