Impact
H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases.
Patches
The following patches (or greater versions) are available:
- 0.44.5 and 1.44.5,
- 0.43.7 and 1.43.7,
- 0.42.6 and 1.42.6,
- 0.41.9 and 1.41.9
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase no longer allows DDL statements in H2 native queries.
Credits
Reported by https://github.com/abrahack via security@ email, with additional details provided by https://github.com/jasiam.
abrahack Analyst
Impact
H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases.
Patches
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase no longer allows DDL statements in H2 native queries.
Credits
Reported by https://github.com/abrahack via security@ email, with additional details provided by https://github.com/jasiam.