CVE-2023-23628

Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor

CVSS 5.7 MEDIUMEPSS 0.4%CWE-200

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.7EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 Jan 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Affected products

metabase · metabase

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv