CVE-2023-23628

Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::

History

No history.

Information

Published : 2023-01-28 02:15

Updated : 2023-11-07 04:07

NVD link : CVE-2023-23628

Mitre link : CVE-2023-23628

CVE.ORG link : CVE-2023-23628

JSON object : View

Products Affected

metabase

metabase

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-23628", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2023-01-28T02:15:07.797", "references": [{"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}, {"lang": "es", "value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds."}], "lastModified": "2023-11-07T04:07:50.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C", "versionEndExcluding": "0.43.7.1"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5", "versionEndExcluding": "0.44.6.1", "versionStartIncluding": "0.44.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3", "versionEndExcluding": "0.45.2.1", "versionStartIncluding": "0.45.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505", "versionEndExcluding": "1.43.7.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44", "versionEndExcluding": "1.44.6.1", "versionStartIncluding": "1.44.0"}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31", "versionEndExcluding": "1.45.2.1", "versionStartIncluding": "1.45.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}