CVE-2023-23628 (GCVE-0-2023-23628)
Vulnerability from cvelistv5 – Published: 2023-01-28 01:11 – Updated: 2025-03-10 21:17
VLAI?
Summary
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
Severity ?
5.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:46.739997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:17:43.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.43.7.1"
},
{
"status": "affected",
"version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
},
{
"status": "affected",
"version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-28T01:11:16.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv"
}
],
"source": {
"advisory": "GHSA-492f-qxr3-9rrv",
"discovery": "UNKNOWN"
},
"title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-23628",
"datePublished": "2023-01-28T01:11:16.710Z",
"dateReserved": "2023-01-16T17:07:46.244Z",
"dateUpdated": "2025-03-10T21:17:43.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.43.7.1\", \"matchCriteriaId\": \"B739CE77-5465-4018-9A7D-EFE7E2C6912C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.44.0\", \"versionEndExcluding\": \"0.44.6.1\", \"matchCriteriaId\": \"DF00E09E-C915-4D5E-BF06-D52E044752C5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.45.0\", \"versionEndExcluding\": \"0.45.2.1\", \"matchCriteriaId\": \"D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.0.0\", \"versionEndExcluding\": \"1.43.7.1\", \"matchCriteriaId\": \"79CF2F09-CA1A-4A02-A529-8E879C011505\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.44.0\", \"versionEndExcluding\": \"1.44.6.1\", \"matchCriteriaId\": \"2A2796BF-3609-4633-9465-671B1A6BDF44\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.45.0\", \"versionEndExcluding\": \"1.45.2.1\", \"matchCriteriaId\": \"79B81DBB-484A-466C-95B3-CD91F7390D31\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\\n\"}, {\"lang\": \"es\", \"value\": \"Metabase es una plataforma de an\\u00e1lisis de datos de c\\u00f3digo abierto. Las versiones afectadas est\\u00e1n sujetas a la exposici\\u00f3n de informaci\\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\\u00f3n de una suscripci\\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\\u00f3n. Este problema se solucion\\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds.\"}]",
"id": "CVE-2023-23628",
"lastModified": "2024-11-21T07:46:34.077",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"baseScore\": 4.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 1.4}]}",
"published": "2023-01-28T02:15:07.797",
"references": "[{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-23628\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-28T02:15:07.797\",\"lastModified\":\"2024-11-21T07:46:34.077\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\\n\"},{\"lang\":\"es\",\"value\":\"Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":4.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.43.7.1\",\"matchCriteriaId\":\"B739CE77-5465-4018-9A7D-EFE7E2C6912C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.44.0\",\"versionEndExcluding\":\"0.44.6.1\",\"matchCriteriaId\":\"DF00E09E-C915-4D5E-BF06-D52E044752C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.45.0\",\"versionEndExcluding\":\"0.45.2.1\",\"matchCriteriaId\":\"D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.43.7.1\",\"matchCriteriaId\":\"79CF2F09-CA1A-4A02-A529-8E879C011505\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.44.0\",\"versionEndExcluding\":\"1.44.6.1\",\"matchCriteriaId\":\"2A2796BF-3609-4633-9465-671B1A6BDF44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.45.0\",\"versionEndExcluding\":\"1.45.2.1\",\"matchCriteriaId\":\"79B81DBB-484A-466C-95B3-CD91F7390D31\"}]}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:35:33.640Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23628\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:58:46.739997Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:58:48.523Z\"}}], \"cna\": {\"title\": \"Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor \", \"source\": {\"advisory\": \"GHSA-492f-qxr3-9rrv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"metabase\", \"product\": \"metabase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.43.7.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.44.0-RC1, \u003c 0.44.6.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.45.0-RC1, \u003c 0.45.2.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.43.7.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.44.0-RC1, \u003c 1.44.6.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.45.0-RC1, \u003c 1.45.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-28T01:11:16.710Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-23628\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:17:43.694Z\", \"dateReserved\": \"2023-01-16T17:07:46.244Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-28T01:11:16.710Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…