CVE-2022-39361: 
NixOS vulnerability analysis and mitigation

Metabase, prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, contained a vulnerability in its H2 (Sample Database) component that could allow Remote Code Execution (RCE). The vulnerability was disclosed on October 26, 2022, and affects users who have permissions to write SQL queries on H2 databases (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (High), with an Impact Score of 5.9 and Exploitability Score of 2.8. The attack vector is Network-based, requires Low complexity, Low privileges, and No user interaction. The scope is Unchanged, with High impact on Confidentiality, Integrity, and Availability (AttackerKB).

If successfully exploited, this vulnerability allows attackers with SQL query writing permissions to execute remote code on the affected system. This could lead to complete system compromise, potentially affecting the confidentiality, integrity, and availability of the Metabase installation (NVD).

The vulnerability has been patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. The fix prevents DDL statements in H2 native queries. Organizations should upgrade to the patched versions to mitigate this vulnerability (GitHub Advisory).