Impact
Unsaved SQL queries are auto-executed, which could pose a possible attack vector.
Patches
The following patches (or greater versions) are available:
- 0.44.5 and 1.44.5,
- 0.43.7 and 1.43.7,
- 0.42.6 and 1.42.6,
- 0.41.9 and 1.41.9
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase no longer automatically execute ad-hoc native queries. Now the native editor is showing the query and giving the user the option to manually run the query if they want.
Credits
Reported by https://github.com/abrahack via security@ email.
Impact
Unsaved SQL queries are auto-executed, which could pose a possible attack vector.
Patches
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase no longer automatically execute ad-hoc native queries. Now the native editor is showing the query and giving the user the option to manually run the query if they want.
Credits
Reported by https://github.com/abrahack via security@ email.