Search criteria
60 vulnerabilities found for metabase by metabase
FKIE_CVE-2025-5895
Vulnerability from fkie_nvd - Published: 2025-06-09 20:15 - Updated: 2025-07-10 16:26
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 | Patch | |
| cna@vuldb.com | https://github.com/metabase/metabase/pull/57011 | Exploit, Issue Tracking, Patch | |
| cna@vuldb.com | https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135 | Exploit, Issue Tracking, Patch | |
| cna@vuldb.com | https://vuldb.com/?ctiid.311667 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.311667 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.585795 | Third Party Advisory, VDB Entry | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/metabase/metabase/pull/57011 | Exploit, Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:0.54.10:*:*:*:-:*:*:*",
"matchCriteriaId": "C402E893-1A85-4565-9188-FDF58039F882",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Metabase 54.10. Se ha clasificado como problem\u00e1tica. Afecta a la funci\u00f3n parseDataUri del archivo frontend/src/mebase/lib/dom.js. La manipulaci\u00f3n genera una complejidad ineficiente en las expresiones regulares. Es posible iniciar el ataque de forma remota. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. El parche se denomina 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. Se recomienda aplicar un parche para solucionar este problema."
}
],
"id": "CVE-2025-5895",
"lastModified": "2025-07-10T16:26:17.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2025-06-09T20:15:25.890",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
},
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/57011"
},
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.311667"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.311667"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.585795"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/57011"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
},
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-27141
Vulnerability from fkie_nvd - Published: 2025-02-24 22:15 - Updated: 2025-02-28 16:24
Severity ?
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "AACC8509-72A6-4D34-834D-2E28DEE43E3B",
"versionEndExcluding": "1.50.36",
"versionStartIncluding": "1.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "838875F9-C45A-4610-9D27-476B440862C9",
"versionEndExcluding": "1.51.14",
"versionStartIncluding": "1.51.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "CAF5BC90-DC75-40EA-9ACA-EECB3E56EAD2",
"versionEndExcluding": "1.52.11",
"versionStartIncluding": "1.52.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F93B3622-0521-479F-817F-378FA03854AA",
"versionEndExcluding": "1.53.2",
"versionStartIncluding": "1.53.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
},
{
"lang": "es",
"value": "Metabase Enterprise Edition es la versi\u00f3n empresarial del software de inteligencia empresarial y an\u00e1lisis de datos Metabase. A partir de la versi\u00f3n 1.47.0 y anteriores a las versiones 1.50.36, 1.51.14, 1.52.11 y 1.53.2 de Metabase Enterprise Edition, los usuarios con permisos de suplantaci\u00f3n de identidad pueden ver los resultados de las preguntas almacenadas en cach\u00e9, incluso si sus permisos no les permiten ver los datos. Si alg\u00fan usuario ejecuta una pregunta que se almacena en cach\u00e9 y luego un usuario suplantado ejecuta esa pregunta, el usuario suplantado ve los mismos resultados que el usuario anterior. Estos resultados almacenados en cach\u00e9 pueden incluir datos a los que el usuario suplantado no deber\u00eda tener acceso. Esta vulnerabilidad solo afecta a la Enterprise Edition de Metabase y no a la Open Source Edition. Las versiones 1.53.2, 1.52.11, 1.51.14 y 1.50.36 contienen un parche. Las versiones de las ramas 1.49.X, 1.48.X y 1.47.X son vulnerables, pero no tienen un parche disponible, por lo que los usuarios deben actualizar a una versi\u00f3n principal con una soluci\u00f3n disponible. Deshabilitar el almacenamiento en cach\u00e9 de preguntas es un workaround para este problema."
}
],
"id": "CVE-2025-27141",
"lastModified": "2025-02-28T16:24:18.650",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-24T22:15:23.077",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.metabase.com/docs/latest/permissions/impersonation"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-37470
Vulnerability from fkie_nvd - Published: 2023-08-04 16:15 - Updated: 2024-11-21 08:11
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 | Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 | Mitigation, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "AFE116C8-B5B5-48CE-873D-1E508D1A656A",
"versionEndExcluding": "0.43.7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "97C698D2-6F8A-4BD4-BC29-80086F1F87C0",
"versionEndExcluding": "1.43.7.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "36C340AD-358E-478B-B75C-4A0A8F52F6C6",
"versionEndExcluding": "0.44.7.3",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "A23C9D19-21F7-4529-8CF7-C20DACA524F3",
"versionEndExcluding": "0.45.4.3",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "87EA14BE-A683-44D4-904D-3DEB8A672958",
"versionEndExcluding": "0.46.6.4",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4F52A25-3933-4D5D-A69F-073D31C079D2",
"versionEndExcluding": "1.44.7.3",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0ECC070D-27E2-40A2-A0D4-E818CBAB857D",
"versionEndExcluding": "1.45.4.3",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "E025C478-8650-4B5E-B92F-9ACD2AA4C8C2",
"versionEndExcluding": "1.46.6.4",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one\u0027s Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite."
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis e inteligencia empresarial de c\u00f3digo abierto. Antes de las versiones 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3 y 1.46.6.4, una vulnerabilidad pod\u00eda permitir la ejecuci\u00f3n remota de c\u00f3digo en el servidor Metabase. El problema central es que uno de los almacenes de datos soportados (una base de datos en memoria embebida H2), expone un varias maneras para que una cadena de conexi\u00f3n incluya c\u00f3digo que luego es ejecutado por el proceso que ejecuta la base de datos embebida. Debido a que Metabase permite a los usuarios conectarse a bases de datos, esto significa que una cadena suministrada por el usuario puede ser utilizada para inyectar c\u00f3digo ejecutable. Metabase permite a los usuarios validar su cadena de conexi\u00f3n antes de a\u00f1adir una base de datos (incluso en la configuraci\u00f3n), y esta API de validaci\u00f3n fue el principal vector utilizado, ya que puede ser llamada sin validaci\u00f3n. Las versiones 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3 y 1.46.6.4 solucionan este problema eliminando por completo la posibilidad de que los usuarios a\u00f1adan bases de datos H2. Como soluci\u00f3n, es posible bloquear estas vulnerabilidades a nivel de red bloqueando los endpoints `POST /api/database`, `PUT /api/database/:id`, y `POST /api/setup/validateuntil`. Quienes utilicen H2 como base de datos basada en ficheros deber\u00edan migrar a SQLite."
}
],
"id": "CVE-2023-37470",
"lastModified": "2024-11-21T08:11:46.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-04T16:15:09.610",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-38646
Vulnerability from fkie_nvd - Published: 2023-07-21 15:15 - Updated: 2024-11-21 08:13
Severity ?
Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "5AE3BE02-E7B9-43CB-8FBA-001F5D8E24ED",
"versionEndExcluding": "0.43.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "6591576F-15AC-493F-96B4-6F3E1E5D1350",
"versionEndExcluding": "1.43.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "90CEC6C0-C2EE-496D-BBE0-DBC83717F211",
"versionEndExcluding": "0.44.7.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "EC4D0A9A-F084-403A-83BF-F1C56470B845",
"versionEndExcluding": "0.45.4.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
"matchCriteriaId": "BEA5EEF8-7F70-4D40-9EB6-8BB5226E281E",
"versionEndExcluding": "0.46.6.1",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "825F5E14-49FC-4A8A-87FE-FA039D121F99",
"versionEndExcluding": "1.44.7.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "C20D76CF-15B4-49C3-8F3A-8417B5C8016B",
"versionEndExcluding": "1.45.4.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "47767C52-13CC-4164-84DC-54E3BDC1C590",
"versionEndExcluding": "1.46.6.1",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server\u0027s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2."
}
],
"id": "CVE-2023-38646",
"lastModified": "2024-11-21T08:13:58.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-21T15:15:10.003",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.metabase.com/blog/security-advisory"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-32680
Vulnerability from fkie_nvd - Published: 2023-05-18 23:15 - Updated: 2024-11-21 08:03
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "224A57A1-0426-402D-B2AB-A7909F995D27",
"versionEndExcluding": "0.44.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "426C2FA2-C43E-4E09-8995-26E4E8254C9C",
"versionEndExcluding": "0.45.4",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D569869-9451-48ED-8C82-CFC560A830E5",
"versionEndExcluding": "0.46.3",
"versionStartIncluding": "0.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6024329D-A315-45C7-BE88-9AE30787DACE",
"versionEndExcluding": "1.44.7",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C8547BD-E4C3-45EB-9294-A9CDF88303EE",
"versionEndExcluding": "1.45.4",
"versionStartIncluding": "1.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3A7E247-05AE-43A6-A924-CB6B62679CD7",
"versionEndExcluding": "1.46.3",
"versionStartIncluding": "1.46.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"id": "CVE-2023-32680",
"lastModified": "2024-11-21T08:03:50.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-18T23:15:09.783",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30854"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/metabase/metabase/pull/30854"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-23629
Vulnerability from fkie_nvd - Published: 2023-01-28 02:15 - Updated: 2024-11-21 07:46
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C",
"versionEndExcluding": "0.43.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5",
"versionEndExcluding": "0.44.6.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3",
"versionEndExcluding": "0.45.2.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505",
"versionEndExcluding": "1.43.7.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44",
"versionEndExcluding": "1.44.6.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31",
"versionEndExcluding": "1.45.2.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a una gesti\u00f3n de privilegios inadecuada. Seg\u00fan lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripci\u00f3n. Esto permite que alguien con mayor acceso a los datos cree una suscripci\u00f3n al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripci\u00f3n reciban los mismos datos: los gr\u00e1ficos que se muestran en el correo electr\u00f3nico cumplir\u00e1n con los privilegios del usuario que cre\u00f3 la suscripci\u00f3n. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripci\u00f3n al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a m\u00e1s datos por correo electr\u00f3nico. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso \"Suscripciones y alertas\" para grupos que tienen permisos de datos restringidos, como workaround."
}
],
"id": "CVE-2023-23629",
"lastModified": "2024-11-21T07:46:34.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T02:15:07.900",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-23628
Vulnerability from fkie_nvd - Published: 2023-01-28 02:15 - Updated: 2024-11-21 07:46
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C",
"versionEndExcluding": "0.43.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5",
"versionEndExcluding": "0.44.6.1",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3",
"versionEndExcluding": "0.45.2.1",
"versionStartIncluding": "0.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505",
"versionEndExcluding": "1.43.7.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44",
"versionEndExcluding": "1.44.6.1",
"versionStartIncluding": "1.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31",
"versionEndExcluding": "1.45.2.1",
"versionStartIncluding": "1.45.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
},
{
"lang": "es",
"value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds."
}
],
"id": "CVE-2023-23628",
"lastModified": "2024-11-21T07:46:34.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T02:15:07.797",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-39362
Vulnerability from fkie_nvd - Published: 2022-10-26 19:15 - Updated: 2024-11-21 07:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, unsaved SQL queries are auto-executed, which could pose a possible attack vector. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer automatically executes ad-hoc native queries. Now the native editor shows the query and gives the user the option to manually run the query if they want."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, eran auto ejecutadas las consultas SQL no guardadas, lo que pod\u00eda suponer un posible vector de ataque. Este problema ha sido corregido en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no ejecuta autom\u00e1ticamente las consultas nativas ad hoc. Ahora el editor nativo muestra la consulta y da al usuario la opci\u00f3n de ejecutarla manualmente si lo desea"
}
],
"id": "CVE-2022-39362",
"lastModified": "2024-11-21T07:18:07.203",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:15.800",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/b7c6bb905a9187347cfc9035443b514713027a5c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-356"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-39361
Vulnerability from fkie_nvd - Published: 2022-10-26 19:15 - Updated: 2024-11-21 07:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, H2 (base de datos de muestra) pod\u00eda permitir una ejecuci\u00f3n de c\u00f3digo remota (RCE), de la que pod\u00edan abusar los usuarios capaces de escribir consultas SQL en las bases de datos H2. Este problema est\u00e1 parcheado en versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ya no permite las sentencias DDL en las consultas nativas H2"
}
],
"id": "CVE-2022-39361",
"lastModified": "2024-11-21T07:18:07.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:14.707",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-441"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-39360
Vulnerability from fkie_nvd - Published: 2022-10-26 19:15 - Updated: 2024-11-21 07:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD50540-E323-41CE-9D9C-EDA8CB718E42",
"versionEndExcluding": "0.41.9",
"versionStartIncluding": "0.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF01C7BF-CB4C-4990-9082-587CFD555225",
"versionEndExcluding": "0.42.6",
"versionStartIncluding": "0.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8858058E-C597-4752-8625-9B279DC65A48",
"versionEndExcluding": "0.43.7",
"versionStartIncluding": "0.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A94F7EA-BC18-4013-9A93-7962226FDD98",
"versionEndExcluding": "0.44.5",
"versionStartIncluding": "0.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804B84E1-5D1A-4251-9829-65F5FD927D99",
"versionEndExcluding": "1.41.9",
"versionStartIncluding": "1.41.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73310924-8CD4-4696-89B9-EED3390375A6",
"versionEndExcluding": "1.42.6",
"versionStartIncluding": "1.42.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86AA0C8-2C4F-4DDD-8371-6B43611E2479",
"versionEndExcluding": "1.43.7",
"versionStartIncluding": "1.43.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7A60F6-5062-4094-91A5-71445F9B7BC1",
"versionEndExcluding": "1.44.5",
"versionStartIncluding": "1.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login."
},
{
"lang": "es",
"value": "Metabase es un software de visualizaci\u00f3n de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, los usuarios de inicio de sesi\u00f3n \u00fanico (SSO) pod\u00edan restablecer sus contrase\u00f1as en Metabase, lo que pod\u00eda permitir el acceso de un usuario sin pasar por el IdP de SSO. Este problema ha sido corregido en las versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ahora bloquea el restablecimiento de la contrase\u00f1a para todos los usuarios que usan SSO para su inicio de sesi\u00f3n en Metabase"
}
],
"id": "CVE-2022-39360",
"lastModified": "2024-11-21T07:18:06.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T19:15:13.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-304"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-5895 (GCVE-0-2025-5895)
Vulnerability from cvelistv5 – Published: 2025-06-09 20:00 – Updated: 2025-06-10 15:30
VLAI?
Title
Metabase dom.js parseDataUri redos
Summary
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Credits
mmmsssttt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:23:31.679790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:32.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/metabase/metabase/pull/57011"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Metabase",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "54.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Metabase 54.10 ausgemacht. Sie wurde als problematisch eingestuft. Es geht dabei um die Funktion parseDataUri der Datei frontend/src/metabase/lib/dom.js. Durch Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Patch wird als 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:00:19.261Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311667 | Metabase dom.js parseDataUri redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311667"
},
{
"name": "VDB-311667 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311667"
},
{
"name": "Submit #585795 | metabase @metabase 54.10 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585795"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
},
{
"tags": [
"patch"
],
"url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:52:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "Metabase dom.js parseDataUri redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5895",
"datePublished": "2025-06-09T20:00:19.261Z",
"dateReserved": "2025-06-09T06:47:00.425Z",
"dateUpdated": "2025-06-10T15:30:32.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32382 (GCVE-0-2025-32382)
Vulnerability from cvelistv5 – Published: 2025-04-10 14:40 – Updated: 2025-04-10 15:23
VLAI?
Title
Snowflake credentials logged by the Metabase backend
Summary
Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase found a connection that worked, it would log (log/infof "Successfully connected, migrating to: %s" (pr-str test-details)) which would then print the username and password to the logger. This is fixed in 52.17.1, 53.9.5 and 54.1.5 in both the OSS and enterprise editions. Versions 51 and lower are not impacted.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:23:05.467005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:23:19.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.52.12, \u003c 0.52.17.1"
},
{
"status": "affected",
"version": "\u003e= 1.52.12, \u003c 1.52.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.53.2.3, \u003c 0.53.9.5"
},
{
"status": "affected",
"version": "\u003e= 1.53.2.3, \u003c 1.53.9.5"
},
{
"status": "affected",
"version": "\u003e= 0.54.0.0, \u003c 0.54.1.5"
},
{
"status": "affected",
"version": "\u003e= 1.54.0.0, \u003c 1.54.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase found a connection that worked, it would log (log/infof \"Successfully connected, migrating to: %s\" (pr-str test-details)) which would then print the username and password to the logger. This is fixed in 52.17.1, 53.9.5 and 54.1.5 in both the OSS and enterprise editions. Versions 51 and lower are not impacted."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:40:53.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f"
}
],
"source": {
"advisory": "GHSA-832j-56xw-5p7f",
"discovery": "UNKNOWN"
},
"title": "Snowflake credentials logged by the Metabase backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32382",
"datePublished": "2025-04-10T14:40:53.861Z",
"dateReserved": "2025-04-06T19:46:02.462Z",
"dateUpdated": "2025-04-10T15:23:19.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30371 (GCVE-0-2025-30371)
Vulnerability from cvelistv5 – Published: 2025-03-28 14:47 – Updated: 2025-03-28 15:42
VLAI?
Title
Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint
Summary
Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:42:00.655805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:42:10.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.52.16.4"
},
{
"status": "affected",
"version": "\u003c 1.52.16.4"
},
{
"status": "affected",
"version": "\u003c 0.53.8"
},
{
"status": "affected",
"version": "\u003c 1.53.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T14:47:36.718Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98"
}
],
"source": {
"advisory": "GHSA-8xf9-9jc8-qp98",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30371",
"datePublished": "2025-03-28T14:47:36.718Z",
"dateReserved": "2025-03-21T14:12:06.272Z",
"dateUpdated": "2025-03-28T15:42:10.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27141 (GCVE-0-2025-27141)
Vulnerability from cvelistv5 – Published: 2025-02-24 22:05 – Updated: 2025-02-25 14:31
VLAI?
Title
Metabase Enterprise Edition allows cached questions to leak data to impersonated users
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:31:15.032552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:31:28.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.47.0, \u003c 1.50.36"
},
{
"status": "affected",
"version": "\u003e= 1.51.0, \u003c 1.51.14"
},
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.51.11"
},
{
"status": "affected",
"version": "\u003e= 1.53.0, \u003c 1.53.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T22:05:14.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
},
{
"name": "https://www.metabase.com/docs/latest/configuring-metabase/caching",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
},
{
"name": "https://www.metabase.com/docs/latest/permissions/impersonation",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/permissions/impersonation"
}
],
"source": {
"advisory": "GHSA-6cc4-h534-xh5p",
"discovery": "UNKNOWN"
},
"title": "Metabase Enterprise Edition allows cached questions to leak data to impersonated users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27141",
"datePublished": "2025-02-24T22:05:14.188Z",
"dateReserved": "2025-02-19T16:30:47.777Z",
"dateUpdated": "2025-02-25T14:31:28.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55951 (GCVE-0-2024-55951)
Vulnerability from cvelistv5 – Published: 2024-12-16 20:03 – Updated: 2024-12-17 15:17
VLAI?
Title
Metabase sandboxed users could see filter values from other sandboxed users
Summary
Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T15:17:06.667171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T15:17:36.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.52.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:03:54.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3"
},
{
"name": "https://downloads.metabase.com/v0.52.2.5/metabase.jar",
"tags": [
"x_refsource_MISC"
],
"url": "https://downloads.metabase.com/v0.52.2.5/metabase.jar"
},
{
"name": "https://hub.docker.com/r/metabase/metabase/tags",
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/metabase/metabase/tags"
}
],
"source": {
"advisory": "GHSA-rhjf-q2qw-rvx3",
"discovery": "UNKNOWN"
},
"title": "Metabase sandboxed users could see filter values from other sandboxed users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55951",
"datePublished": "2024-12-16T20:03:54.861Z",
"dateReserved": "2024-12-13T17:47:38.371Z",
"dateUpdated": "2024-12-17T15:17:36.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37470 (GCVE-0-2023-37470)
Vulnerability from cvelistv5 – Published: 2023-08-04 15:12 – Updated: 2024-10-17 14:54
VLAI?
Title
Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
Summary
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:54:25.239902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:54:36.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.44.0.0, \u003c 0.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.45.0.0, \u003c 0.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 0.46.0.0, \u003c 0.46.6.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.44.0.0, \u003c 1.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.45.0.0, \u003c 1.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 1.46.0.0, \u003c 1.46.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one\u0027s Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T15:12:43.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"source": {
"advisory": "GHSA-p7w3-9m58-rq83",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37470",
"datePublished": "2023-08-04T15:12:43.188Z",
"dateReserved": "2023-07-06T13:01:36.998Z",
"dateUpdated": "2024-10-17T14:54:36.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38646 (GCVE-0-2023-38646)
Vulnerability from cvelistv5 – Published: 2023-07-21 00:00 – Updated: 2024-08-02 17:46
VLAI?
Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server\u0027s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T16:05:58.126975",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38646",
"datePublished": "2023-07-21T00:00:00",
"dateReserved": "2023-07-21T00:00:00",
"dateUpdated": "2024-08-02T17:46:56.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32680 (GCVE-0-2023-32680)
Vulnerability from cvelistv5 – Published: 2023-05-18 22:55 – Updated: 2025-02-12 16:38
VLAI?
Title
Missing SQL permissions check in metabase
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
Severity ?
5.8 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T19:09:31.091603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:38:47.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.7"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.44.7"
},
{
"status": "affected",
"version": "\u003e= 0.45.0, \u003c 0.45.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.45.4"
},
{
"status": "affected",
"version": "\u003e= 0.46.0, \u003c 0.46.3"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.46.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T22:55:30.636Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"source": {
"advisory": "GHSA-mw6j-f894-4qxv",
"discovery": "UNKNOWN"
},
"title": "Missing SQL permissions check in metabase"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32680",
"datePublished": "2023-05-18T22:55:30.636Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:38:47.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23629 (GCVE-0-2023-23629)
Vulnerability from cvelistv5 – Published: 2023-01-28 01:23 – Updated: 2025-03-10 21:17
VLAI?
Title
Metabase subject to Improper Privilege Management
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
Severity ?
6.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:43.915067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:17:37.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:23:33.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"source": {
"advisory": "GHSA-ch8f-hhq9-7gv5",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Improper Privilege Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23629",
"datePublished": "2023-01-28T01:23:33.300Z",
"dateReserved": "2023-01-16T17:07:46.245Z",
"dateUpdated": "2025-03-10T21:17:37.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23628 (GCVE-0-2023-23628)
Vulnerability from cvelistv5 – Published: 2023-01-28 01:11 – Updated: 2025-03-10 21:17
VLAI?
Title
Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:46.739997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:17:43.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:11:16.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"source": {
"advisory": "GHSA-492f-qxr3-9rrv",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23628",
"datePublished": "2023-01-28T01:11:16.710Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2025-03-10T21:17:43.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5895 (GCVE-0-2025-5895)
Vulnerability from nvd – Published: 2025-06-09 20:00 – Updated: 2025-06-10 15:30
VLAI?
Title
Metabase dom.js parseDataUri redos
Summary
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Credits
mmmsssttt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:23:31.679790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:32.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/metabase/metabase/pull/57011"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Metabase",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "54.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Metabase 54.10 ausgemacht. Sie wurde als problematisch eingestuft. Es geht dabei um die Funktion parseDataUri der Datei frontend/src/metabase/lib/dom.js. Durch Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Patch wird als 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:00:19.261Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311667 | Metabase dom.js parseDataUri redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311667"
},
{
"name": "VDB-311667 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311667"
},
{
"name": "Submit #585795 | metabase @metabase 54.10 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585795"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
},
{
"tags": [
"patch"
],
"url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:52:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "Metabase dom.js parseDataUri redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5895",
"datePublished": "2025-06-09T20:00:19.261Z",
"dateReserved": "2025-06-09T06:47:00.425Z",
"dateUpdated": "2025-06-10T15:30:32.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32382 (GCVE-0-2025-32382)
Vulnerability from nvd – Published: 2025-04-10 14:40 – Updated: 2025-04-10 15:23
VLAI?
Title
Snowflake credentials logged by the Metabase backend
Summary
Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase found a connection that worked, it would log (log/infof "Successfully connected, migrating to: %s" (pr-str test-details)) which would then print the username and password to the logger. This is fixed in 52.17.1, 53.9.5 and 54.1.5 in both the OSS and enterprise editions. Versions 51 and lower are not impacted.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:23:05.467005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:23:19.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.52.12, \u003c 0.52.17.1"
},
{
"status": "affected",
"version": "\u003e= 1.52.12, \u003c 1.52.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.53.2.3, \u003c 0.53.9.5"
},
{
"status": "affected",
"version": "\u003e= 1.53.2.3, \u003c 1.53.9.5"
},
{
"status": "affected",
"version": "\u003e= 0.54.0.0, \u003c 0.54.1.5"
},
{
"status": "affected",
"version": "\u003e= 1.54.0.0, \u003c 1.54.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase found a connection that worked, it would log (log/infof \"Successfully connected, migrating to: %s\" (pr-str test-details)) which would then print the username and password to the logger. This is fixed in 52.17.1, 53.9.5 and 54.1.5 in both the OSS and enterprise editions. Versions 51 and lower are not impacted."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:40:53.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f"
}
],
"source": {
"advisory": "GHSA-832j-56xw-5p7f",
"discovery": "UNKNOWN"
},
"title": "Snowflake credentials logged by the Metabase backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32382",
"datePublished": "2025-04-10T14:40:53.861Z",
"dateReserved": "2025-04-06T19:46:02.462Z",
"dateUpdated": "2025-04-10T15:23:19.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30371 (GCVE-0-2025-30371)
Vulnerability from nvd – Published: 2025-03-28 14:47 – Updated: 2025-03-28 15:42
VLAI?
Title
Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint
Summary
Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:42:00.655805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:42:10.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.52.16.4"
},
{
"status": "affected",
"version": "\u003c 1.52.16.4"
},
{
"status": "affected",
"version": "\u003c 0.53.8"
},
{
"status": "affected",
"version": "\u003c 1.53.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet with strict outbound port controls is an available workaround."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T14:47:36.718Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98"
}
],
"source": {
"advisory": "GHSA-8xf9-9jc8-qp98",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30371",
"datePublished": "2025-03-28T14:47:36.718Z",
"dateReserved": "2025-03-21T14:12:06.272Z",
"dateUpdated": "2025-03-28T15:42:10.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27141 (GCVE-0-2025-27141)
Vulnerability from nvd – Published: 2025-02-24 22:05 – Updated: 2025-02-25 14:31
VLAI?
Title
Metabase Enterprise Edition allows cached questions to leak data to impersonated users
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:31:15.032552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:31:28.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.47.0, \u003c 1.50.36"
},
{
"status": "affected",
"version": "\u003e= 1.51.0, \u003c 1.51.14"
},
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.51.11"
},
{
"status": "affected",
"version": "\u003e= 1.53.0, \u003c 1.53.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T22:05:14.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
},
{
"name": "https://www.metabase.com/docs/latest/configuring-metabase/caching",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
},
{
"name": "https://www.metabase.com/docs/latest/permissions/impersonation",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.metabase.com/docs/latest/permissions/impersonation"
}
],
"source": {
"advisory": "GHSA-6cc4-h534-xh5p",
"discovery": "UNKNOWN"
},
"title": "Metabase Enterprise Edition allows cached questions to leak data to impersonated users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27141",
"datePublished": "2025-02-24T22:05:14.188Z",
"dateReserved": "2025-02-19T16:30:47.777Z",
"dateUpdated": "2025-02-25T14:31:28.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55951 (GCVE-0-2024-55951)
Vulnerability from nvd – Published: 2024-12-16 20:03 – Updated: 2024-12-17 15:17
VLAI?
Title
Metabase sandboxed users could see filter values from other sandboxed users
Summary
Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T15:17:06.667171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T15:17:36.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.52.0, \u003c 1.52.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:03:54.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3"
},
{
"name": "https://downloads.metabase.com/v0.52.2.5/metabase.jar",
"tags": [
"x_refsource_MISC"
],
"url": "https://downloads.metabase.com/v0.52.2.5/metabase.jar"
},
{
"name": "https://hub.docker.com/r/metabase/metabase/tags",
"tags": [
"x_refsource_MISC"
],
"url": "https://hub.docker.com/r/metabase/metabase/tags"
}
],
"source": {
"advisory": "GHSA-rhjf-q2qw-rvx3",
"discovery": "UNKNOWN"
},
"title": "Metabase sandboxed users could see filter values from other sandboxed users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55951",
"datePublished": "2024-12-16T20:03:54.861Z",
"dateReserved": "2024-12-13T17:47:38.371Z",
"dateUpdated": "2024-12-17T15:17:36.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37470 (GCVE-0-2023-37470)
Vulnerability from nvd – Published: 2023-08-04 15:12 – Updated: 2024-10-17 14:54
VLAI?
Title
Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
Summary
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:54:25.239902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:54:36.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.44.0.0, \u003c 0.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 0.45.0.0, \u003c 0.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 0.46.0.0, \u003c 0.46.6.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.44.0.0, \u003c 1.44.7.3"
},
{
"status": "affected",
"version": "\u003e= 1.45.0.0, \u003c 1.45.4.3"
},
{
"status": "affected",
"version": "\u003e= 1.46.0.0, \u003c 1.46.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one\u0027s Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T15:12:43.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83"
}
],
"source": {
"advisory": "GHSA-p7w3-9m58-rq83",
"discovery": "UNKNOWN"
},
"title": "Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37470",
"datePublished": "2023-08-04T15:12:43.188Z",
"dateReserved": "2023-07-06T13:01:36.998Z",
"dateUpdated": "2024-10-17T14:54:36.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38646 (GCVE-0-2023-38646)
Vulnerability from nvd – Published: 2023-07-21 00:00 – Updated: 2024-08-02 17:46
VLAI?
Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server\u0027s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T16:05:58.126975",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.metabase.com/blog/security-advisory"
},
{
"url": "https://github.com/metabase/metabase/releases/tag/v0.46.6.1"
},
{
"url": "https://news.ycombinator.com/item?id=36812256"
},
{
"url": "https://github.com/metabase/metabase/issues/32552"
},
{
"url": "http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html"
},
{
"url": "http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38646",
"datePublished": "2023-07-21T00:00:00",
"dateReserved": "2023-07-21T00:00:00",
"dateUpdated": "2024-08-02T17:46:56.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32680 (GCVE-0-2023-32680)
Vulnerability from nvd – Published: 2023-05-18 22:55 – Updated: 2025-02-12 16:38
VLAI?
Title
Missing SQL permissions check in metabase
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
Severity ?
5.8 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T19:09:31.091603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:38:47.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.7"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.44.7"
},
{
"status": "affected",
"version": "\u003e= 0.45.0, \u003c 0.45.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.45.4"
},
{
"status": "affected",
"version": "\u003e= 0.46.0, \u003c 0.46.3"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.46.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T22:55:30.636Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"source": {
"advisory": "GHSA-mw6j-f894-4qxv",
"discovery": "UNKNOWN"
},
"title": "Missing SQL permissions check in metabase"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32680",
"datePublished": "2023-05-18T22:55:30.636Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:38:47.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23629 (GCVE-0-2023-23629)
Vulnerability from nvd – Published: 2023-01-28 01:23 – Updated: 2025-03-10 21:17
VLAI?
Title
Metabase subject to Improper Privilege Management
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
Severity ?
6.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:43.915067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:17:37.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:23:33.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
}
],
"source": {
"advisory": "GHSA-ch8f-hhq9-7gv5",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Improper Privilege Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23629",
"datePublished": "2023-01-28T01:23:33.300Z",
"dateReserved": "2023-01-16T17:07:46.245Z",
"dateUpdated": "2025-03-10T21:17:37.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23628 (GCVE-0-2023-23628)
Vulnerability from nvd – Published: 2023-01-28 01:11 – Updated: 2025-03-10 21:17
VLAI?
Title
Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:46.739997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:17:43.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:11:16.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"source": {
"advisory": "GHSA-492f-qxr3-9rrv",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23628",
"datePublished": "2023-01-28T01:11:16.710Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2025-03-10T21:17:43.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}