CVE-2022-24854 Information
Description
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database then it can attach this database to a second database and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you’re unable to upgrade you can modify your SQLIte connection strings to contain the url argument ?limit_attached=0 which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://github.com/metabase/metabase/security/advisories/GHSA-vm79-xvmp-7329
https://www.sqlite.org/lang_attach.html
Metabase
is
an
open
source
business
intelligence
and
analytics
application.
SQLite
has
an
FDW-like
feature
called
ATTACH DATABASE
which
allows
connecting
multiple
SQLite
databases
via
the
initial
connection.
If
the
attacker
has
SQL
permissions
to
at
least
one
SQLite
database
then
it
can
attach
this
database
to
a
second
database
and
then
it
can
query
across
all
the
tables.
To
be
able
to
do
that
the
attacker
also
needs
to
know
the
file
path
to
the
second
database.
Users
are
advised
to
upgrade
as
soon
as
possible.
If
you’re
unable
to
upgrade
you
can
modify
your
SQLIte
connection
strings
to
contain
the
url
argument
?limit_attached=0
which
will
disallow
making
connections
to
other
SQLite
databases.
Only
users
making
use
of
SQLite
are
affected.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: