{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.244Z", "datePublished": "2023-01-28T01:11:16.710Z", "dateUpdated": "2025-03-10T21:17:43.694Z"}, "containers": {"cna": {"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor ", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}], "affected": [{"vendor": "metabase", "product": "metabase", "versions": [{"version": "< 0.43.7.1", "status": "affected"}, {"version": ">= 0.44.0-RC1, < 0.44.6.1", "status": "affected"}, {"version": ">= 0.45.0-RC1, < 0.45.2.1", "status": "affected"}, {"version": ">= 1.0.0, < 1.43.7.1", "status": "affected"}, {"version": ">= 1.44.0-RC1, < 1.44.6.1", "status": "affected"}, {"version": ">= 1.45.0-RC1, < 1.45.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-28T01:11:16.710Z"}, "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}], "source": {"advisory": "GHSA-492f-qxr3-9rrv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.640Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T20:58:46.739997Z", "id": "CVE-2023-23628", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:17:43.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.640Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-23628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T20:58:46.739997Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T20:58:48.523Z"}}], "cna": {"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor ", "source": {"advisory": "GHSA-492f-qxr3-9rrv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "metabase", "product": "metabase", "versions": [{"status": "affected", "version": "< 0.43.7.1"}, {"status": "affected", "version": ">= 0.44.0-RC1, < 0.44.6.1"}, {"status": "affected", "version": ">= 0.45.0-RC1, < 0.45.2.1"}, {"status": "affected", "version": ">= 1.0.0, < 1.43.7.1"}, {"status": "affected", "version": ">= 1.44.0-RC1, < 1.44.6.1"}, {"status": "affected", "version": ">= 1.45.0-RC1, < 1.45.2.1"}]}], "references": [{"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-28T01:11:16.710Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23628", "state": "PUBLISHED", "dateUpdated": "2025-03-10T21:17:43.694Z", "dateReserved": "2023-01-16T17:07:46.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-01-28T01:11:16.710Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C", "versionEndExcluding": "0.43.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5", "versionEndExcluding": "0.44.6.1", "versionStartIncluding": "0.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3", "versionEndExcluding": "0.45.2.1", "versionStartIncluding": "0.45.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505", "versionEndExcluding": "1.43.7.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44", "versionEndExcluding": "1.44.6.1", "versionStartIncluding": "1.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31", "versionEndExcluding": "1.45.2.1", "versionStartIncluding": "1.45.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}, {"lang": "es", "value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds."}], "id": "CVE-2023-23628", "lastModified": "2024-11-21T07:46:34.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-28T02:15:07.797", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}