CVE-2023-23628

Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

History

07 Nov 2023, 04:07

Type Values Removed Values Added
Summary Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds. Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.

06 Feb 2023, 19:29

Type Values Removed Values Added
CPE cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
First Time Metabase metabase
Metabase
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.1
References (MISC) https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrvĀ - (MISC) https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrvĀ - Third Party Advisory

28 Jan 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-28 02:15

Updated : 2023-12-10 14:48


NVD link : CVE-2023-23628

Mitre link : CVE-2023-23628

CVE.ORG link : CVE-2023-23628


JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor