CVE-2022-24854 is a medium-severity vulnerability affecting Metabase, an open-source business intelligence and analytics platform. The vulnerability arises from the way Metabase uses SQLite databases, specifically leveraging SQLite's ATTACH DATABASE feature. This feature allows multiple SQLite databases to be connected via a single connection, enabling cross-database queries. The vulnerability occurs when an attacker who already has SQL permissions on one SQLite database can attach a second database by specifying its file path, thereby gaining the ability to query across all tables in both databases. This is an example of CWE-610: Externally Controlled Reference to a Resource in Another Sphere, where an external input controls access to resources outside the intended scope. Exploitation requires the attacker to have SQL permissions on at least one database and knowledge of the file path to the second database. The attack vector is limited to environments where Metabase uses SQLite as its backend database. The vulnerability affects Metabase versions from 0.41.0 up to but not including 0.41.7, 1.41.0 up to but not including 1.41.7, and 0.42.0 up to but not including 0.42.4, and 1.42.0 up to but not including 1.42.4. No known exploits have been reported in the wild. Mitigation includes upgrading to patched versions or, if upgrading is not immediately possible, modifying SQLite connection strings to include the URL argument '?limit_attached=0' to disable the ATTACH DATABASE functionality, thereby preventing cross-database attachments.

For European organizations using Metabase with SQLite as the backend, this vulnerability could lead to unauthorized data exposure across multiple databases within the same environment. An attacker with SQL permissions on one database could escalate their access to other databases by attaching them, potentially accessing sensitive or confidential business intelligence data that was not intended to be accessible. This could compromise data confidentiality and integrity, especially in multi-tenant or segmented database environments. The impact is somewhat limited by the prerequisite that the attacker must already have SQL permissions and knowledge of the file path to the second database, which reduces the likelihood of remote exploitation without insider access or prior compromise. However, in environments where Metabase is used to analyze sensitive data such as financial records, personal data, or strategic business information, the vulnerability could facilitate lateral movement and data exfiltration. Availability is less likely to be directly impacted by this vulnerability. Given the widespread use of Metabase in analytics and reporting, unauthorized data access could lead to regulatory compliance issues under GDPR and damage to organizational reputation.

1. Upgrade Metabase to the latest patched versions beyond 1.41.7 and 1.42.4 or their respective minor versions as soon as possible to eliminate the vulnerability. 2. For organizations unable to upgrade immediately, modify the SQLite connection string used by Metabase to include the URL argument '?limit_attached=0'. This disables the ATTACH DATABASE feature, preventing cross-database attachments and mitigating the vulnerability. 3. Restrict SQL permissions rigorously within Metabase to minimize the number of users or processes that have write or attach capabilities on SQLite databases. 4. Implement strict file system permissions to limit access to SQLite database files, ensuring that unauthorized users cannot discover or access database file paths. 5. Monitor database query logs for unusual cross-database queries or attempts to attach databases, which could indicate exploitation attempts. 6. Conduct regular audits of Metabase configurations and database access controls to ensure adherence to the principle of least privilege. 7. Consider migrating from SQLite to more robust database backends if multi-database access control is critical and cannot be sufficiently secured in SQLite environments.