CVE-2023-23628 - Vulnerability Details - OpenCVE

Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metabase	Metabase

Configuration 1 [-]

OR	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::
	cpe:2.3:a:metabase:metabase::::::::

No data.

References

Link	Providers
https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-28T01:11:16.710Z

Updated: 2024-08-02T10:35:33.640Z

Reserved: 2023-01-16T17:07:46.244Z

Link: CVE-2023-23628

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-28T02:15:07.797

Modified: 2024-11-21T07:46:34.077

Link: CVE-2023-23628

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.244Z", "datePublished": "2023-01-28T01:11:16.710Z", "dateUpdated": "2024-08-02T10:35:33.640Z"}, "containers": {"cna": {"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor ", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}], "affected": [{"vendor": "metabase", "product": "metabase", "versions": [{"version": "< 0.43.7.1", "status": "affected"}, {"version": ">= 0.44.0-RC1, < 0.44.6.1", "status": "affected"}, {"version": ">= 0.45.0-RC1, < 0.45.2.1", "status": "affected"}, {"version": ">= 1.0.0, < 1.43.7.1", "status": "affected"}, {"version": ">= 1.44.0-RC1, < 1.44.6.1", "status": "affected"}, {"version": ">= 1.45.0-RC1, < 1.45.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-28T01:11:16.710Z"}, "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}], "source": {"advisory": "GHSA-492f-qxr3-9rrv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.640Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C", "versionEndExcluding": "0.43.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5", "versionEndExcluding": "0.44.6.1", "versionStartIncluding": "0.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3", "versionEndExcluding": "0.45.2.1", "versionStartIncluding": "0.45.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505", "versionEndExcluding": "1.43.7.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44", "versionEndExcluding": "1.44.6.1", "versionStartIncluding": "1.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31", "versionEndExcluding": "1.45.2.1", "versionStartIncluding": "1.45.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"}, {"lang": "es", "value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds."}], "id": "CVE-2023-23628", "lastModified": "2024-11-21T07:46:34.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-28T02:15:07.797", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}