CVE-2023-23628

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-23628
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.

5.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
History

21 Nov 2024, 07:46

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.1 		v2 : unknown
v3 : 5.7
Summary
  • (es) Metabase es una plataforma de análisis de datos de código abierto. Las versiones afectadas están sujetas a la exposición de información confidencial a un actor no autorizado. Los usuarios del espacio aislado no deberían poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicación Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuración de una suscripción al panel y otro usuario ha agregado usuarios a esa suscripción, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripción. Este problema se solucionó en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds.
References () https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv - Third Party Advisory () https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv - Third Party Advisory
Information

Published : 2023-01-28 02:15

Updated : 2024-11-21 07:46

NVD link : CVE-2023-23628

Mitre link : CVE-2023-23628

CVE.ORG link : CVE-2023-23628

JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor