CVE-2023-23628
Vulnerability from cvelistv5
Published
2023-01-28 01:11
Modified
2024-08-02 10:35
Severity ?
EPSS score ?
Summary
Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor
References
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv | Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:35:33.640Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "metabase", "vendor": "metabase", "versions": [ { "status": "affected", "version": "\u003c 0.43.7.1" }, { "status": "affected", "version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1" }, { "status": "affected", "version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1" }, { "status": "affected", "version": "\u003e= 1.0.0, \u003c 1.43.7.1" }, { "status": "affected", "version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1" }, { "status": "affected", "version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-01-28T01:11:16.710Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv" } ], "source": { "advisory": "GHSA-492f-qxr3-9rrv", "discovery": "UNKNOWN" }, "title": "Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor " } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-23628", "datePublished": "2023-01-28T01:11:16.710Z", "dateReserved": "2023-01-16T17:07:46.244Z", "dateUpdated": "2024-08-02T10:35:33.640Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-23628\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-28T02:15:07.797\",\"lastModified\":\"2023-11-07T04:07:50.497\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn\u0027t be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.\\n\"},{\"lang\":\"es\",\"value\":\"Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a la exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado. Los usuarios del espacio aislado no deber\u00edan poder ver datos sobre otros usuarios de Metabase en ninguna parte de la aplicaci\u00f3n Metabase. Sin embargo, cuando un usuario del espacio aislado ve la configuraci\u00f3n de una suscripci\u00f3n al panel y otro usuario ha agregado usuarios a esa suscripci\u00f3n, el usuario del espacio aislado puede ver la lista de destinatarios de esa suscripci\u00f3n. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. No hay workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.1,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.3,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.43.7.1\",\"matchCriteriaId\":\"B739CE77-5465-4018-9A7D-EFE7E2C6912C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.44.0\",\"versionEndExcluding\":\"0.44.6.1\",\"matchCriteriaId\":\"DF00E09E-C915-4D5E-BF06-D52E044752C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.45.0\",\"versionEndExcluding\":\"0.45.2.1\",\"matchCriteriaId\":\"D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.43.7.1\",\"matchCriteriaId\":\"79CF2F09-CA1A-4A02-A529-8E879C011505\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.44.0\",\"versionEndExcluding\":\"1.44.6.1\",\"matchCriteriaId\":\"2A2796BF-3609-4633-9465-671B1A6BDF44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.45.0\",\"versionEndExcluding\":\"1.45.2.1\",\"matchCriteriaId\":\"79B81DBB-484A-466C-95B3-CD91F7390D31\"}]}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.