Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Metabase: Arbitrary File Read via MySQL Connection Property Injection
Vulnerability Description
Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Vulnerability Type
参数注入或修改
Vulnerability Title
Metabase 命令注入漏洞
Vulnerability Description
Metabase是美国Metabase公司开源的一个开源数据分析平台。 Metabase存在命令注入漏洞,该漏洞源于向MySQL或MariaDB连接添加不安全的JDBC参数,导致攻击者可以读取Metabase服务器文件系统中的任意文件。以下版本受到影响:1.57.0版本至1.57.19.1之前版本、1.58.0版本至1.58.14.1之前版本、1.59.0版本至1.59.10之前版本和1.60.0版本至1.60.4之前版本。
CVSS Information
N/A
Vulnerability Type
N/A