CVE-2022-39361 is a vulnerability in Metabase, an open-source data visualization and business intelligence software widely used for querying and visualizing data. The issue arises from improper input validation (CWE-20) in the handling of SQL queries executed against the embedded H2 database, which Metabase uses as a sample or default database. Specifically, prior to patched versions (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9), Metabase allowed users with the ability to write SQL queries on H2 databases to execute Data Definition Language (DDL) statements. This improper validation enables a remote code execution (RCE) scenario because maliciously crafted DDL statements can be abused to execute arbitrary code on the host system running Metabase. The vulnerability is rooted in CWE-20 (improper input validation) and CWE-441 (unintended proxy or intermediary confused deputy), indicating that the system incorrectly trusts user input and intermediates commands that lead to unintended execution. The fix implemented in the patched versions restricts the execution of DDL statements in H2 native queries, effectively mitigating the risk of RCE. There are no known exploits in the wild as of the published date (October 26, 2022), but the vulnerability poses a significant risk in environments where untrusted users have query-writing privileges on H2 databases within Metabase. The affected versions span multiple release lines, including all versions before 0.41.9 and various incremental versions up to but not including the patched releases. This vulnerability is particularly critical in multi-tenant or shared environments where user privileges may be less strictly controlled.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Metabase for business intelligence and data visualization tasks. If exploited, attackers with query-writing access could execute arbitrary code on the Metabase server, potentially leading to full system compromise, data theft, or disruption of business operations. This could affect confidentiality by exposing sensitive business data, integrity by altering or corrupting data visualizations or underlying datasets, and availability by causing service outages or system instability. Organizations in sectors such as finance, healthcare, manufacturing, and government, which often use Metabase for critical data analysis, may face regulatory and reputational damage if exploited. The risk is heightened in environments where Metabase is exposed to less trusted users or integrated with external data sources without strict access controls. Additionally, the ability to execute RCE without requiring complex authentication or user interaction (beyond query-writing privileges) increases the threat level. Although no public exploits are known, the medium severity rating suggests that proactive patching is essential to prevent potential exploitation.

European organizations should implement the following specific mitigation measures: 1) Immediately upgrade Metabase installations to the patched versions (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, or 1.41.9 and above) to ensure the restriction of DDL statements in H2 queries. 2) Restrict query-writing privileges strictly to trusted users and implement role-based access controls (RBAC) to minimize the number of users who can execute native SQL queries, especially on H2 databases. 3) Where possible, disable or replace the embedded H2 sample database with production-grade databases that do not allow such unsafe query execution or have more robust security controls. 4) Monitor Metabase logs for unusual query patterns or attempts to execute DDL statements, enabling early detection of exploitation attempts. 5) Employ network segmentation and firewall rules to limit access to Metabase servers, reducing exposure to untrusted networks or users. 6) Conduct regular security audits and penetration testing focused on Metabase deployments to identify and remediate any residual risks related to query execution privileges. 7) Educate administrators and users about the risks of executing arbitrary SQL queries and enforce strict policies around query validation and review.