CVE-2022-39358 is a medium-severity vulnerability affecting multiple versions of Metabase, an open-source data visualization and business intelligence platform widely used for creating dashboards and querying data. The vulnerability arises from improper access control in the handling of locked parameters within embedded dashboards. Specifically, prior to patched versions (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6), an attacker could craft malicious backend requests that circumvent the intended restrictions on locked parameters when requesting data for a question embedded in a dashboard. Locked parameters are meant to restrict or fix certain query inputs to prevent unauthorized data access or manipulation. By bypassing these controls, unauthorized actors can potentially retrieve sensitive information that should be protected. This exposure constitutes a CWE-200 vulnerability, indicating sensitive information disclosure to unauthorized parties. The flaw does not require user interaction but does require the attacker to have some level of access to the embedded dashboard interface or the ability to send crafted requests to the backend API. There are no known exploits in the wild as of the publication date, but the vulnerability is significant given the nature of data handled by Metabase deployments. The affected versions span a broad range, including all versions prior to 0.42.6 and various intermediate releases up to but not including the patched versions. The vulnerability impacts confidentiality primarily, as unauthorized data disclosure can lead to leakage of sensitive business intelligence, personally identifiable information, or other critical data visualized through Metabase dashboards. The integrity and availability of the system are not directly impacted by this vulnerability. The issue was publicly disclosed on October 26, 2022, with patches available in the specified versions, though no direct patch links are provided in the source data.

For European organizations, the exposure of sensitive information through this vulnerability could have significant consequences, especially for sectors handling regulated or confidential data such as finance, healthcare, government, and critical infrastructure. Unauthorized access to business intelligence data could lead to competitive disadvantage, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential legal liabilities. Since Metabase is often integrated with internal databases and data warehouses, the leakage could include personal data, financial metrics, or strategic operational information. The impact is heightened in environments where embedded dashboards are exposed beyond tightly controlled internal networks, such as in partner portals or customer-facing analytics. Given the medium severity and the nature of the vulnerability, attackers with network access to the Metabase backend or embedded dashboard endpoints could exploit this flaw without requiring user interaction, increasing the risk in environments with insufficient network segmentation or weak access controls. However, the lack of known exploits in the wild suggests that exploitation is not trivial but remains a credible threat if left unpatched.

European organizations using Metabase should immediately verify their deployed versions and upgrade to the patched releases (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, or 1.42.6 and above) to remediate this vulnerability. Beyond patching, organizations should implement strict network segmentation to limit access to Metabase backend APIs and embedded dashboard endpoints only to authorized users and systems. Employing Web Application Firewalls (WAFs) with custom rules to detect and block anomalous parameter tampering in API requests can provide additional protection. Review and tighten authentication and authorization mechanisms around embedded dashboards, ensuring that only authenticated and authorized users can access sensitive queries. Regularly audit dashboard configurations to minimize exposure of sensitive data and avoid embedding dashboards in publicly accessible environments without adequate controls. Implement logging and monitoring focused on unusual query patterns or parameter manipulations to detect potential exploitation attempts. Finally, conduct security awareness training for developers and administrators managing Metabase deployments to recognize and remediate such vulnerabilities promptly.