漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Metabase: Unsafe Deserialization of H2 Query Results
Vulnerability Description
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Metabase 反序列化注入漏洞
Vulnerability Description
Metabase是美国Metabase公司开源的一个开源数据分析平台。 Metabase存在反序列化注入漏洞,该漏洞源于对H2本机查询结果列中返回的任意Java对象未进行验证的反序列化,可能导致经过身份验证的用户在Metabase服务器上执行代码。以下版本受到影响:1.58.15之前版本、1.59.12之前版本、1.60.6.3之前版本和1.61.1.4之前版本。
CVSS Information
N/A
Vulnerability Type
N/A