Skip to content

SQLite allows "FDW" to other SQLite databases bypassing any permissions

Moderate
diogormendes published GHSA-vm79-xvmp-7329 Apr 14, 2022

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.42.3 <x.41.6

Patched versions

0.42.4,1.42.4,0.41.7,1.41.7

Description

Impact

SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database.

Patches

The following patches (or greater versions) are available:

  • 0.42.4 and 1.42.4
  • 0.41.7 and 1.41.7

If you use SQLite databases, where other users can write SQL queries, you should upgrade immediately.
All releases are available on https://github.com/metabase/metabase/releases

Credits

Reported by https://github.com/Cl0wnK1n9 via security@ email

Severity

Moderate

CVE ID

CVE-2022-24854

Weaknesses

No CWEs

Credits