{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T05:33:34.549","vulnerabilities":[{"cve":{"id":"CVE-2022-24854","sourceIdentifier":"security-advisories@github.com","published":"2022-04-14T22:15:08.110","lastModified":"2024-11-21T06:51:14.490","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected."},{"lang":"es","value":"Metabase es una aplicación de análisis e inteligencia empresarial de código abierto. SQLite presenta una característica similar a FDW llamada \"ATTACH DATABASE\", que permite conectar múltiples bases de datos SQLite por medio de la conexión inicial. Si el atacante presenta permisos de SQL en al menos una base de datos SQLite, entonces puede adjuntar esta base de datos a una segunda base de datos, y entonces puede consultar todas las tablas. Para poder hacer esto, el atacante también necesita conocer la ruta del archivo de la segunda base de datos. Es recomendado a usuarios actualizar lo antes posible. Si no puedes actualizar, puedes modificar tus cadenas de conexión SQLIte para que contengan el argumento url \"?limit_attached=0\", que deshabilitará la realización de conexiones a otras bases de datos SQLite. Sólo estarán afectados los usuarios que usen SQLite"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.3,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-610"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*","versionStartIncluding":"0.41.0","versionEndExcluding":"0.41.7","matchCriteriaId":"548FFDC4-010F-4B2C-995F-41F540995B0E"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*","versionStartIncluding":"0.42.0","versionEndExcluding":"0.42.4","matchCriteriaId":"F9282AB8-E8AF-4431-9BED-D1427CDF81BE"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*","versionStartIncluding":"1.41.0","versionEndExcluding":"1.41.7","matchCriteriaId":"4E19CC33-86D1-42B3-8EBC-3642FF59A5AC"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*","versionStartIncluding":"1.42.0","versionEndExcluding":"1.42.4","matchCriteriaId":"0661FFDD-F667-4818-8EB3-B42E9E7001F2"}]}]}],"references":[{"url":"https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://www.sqlite.org/lang_attach.html","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://www.sqlite.org/lang_attach.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}