cve-2023-23629
Vulnerability from cvelistv5
Published
2023-01-28 01:23
Modified
2024-08-02 10:35
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L
Summary
Metabase subject to Improper Privilege Management
References
security-advisories@github.comhttps://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5Third Party Advisory
Impacted products
metabasemetabase
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:35:33.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "metabase",
          "vendor": "metabase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.43.7.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.44.0-RC1, \u003c 0.44.6.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.45.0-RC1, \u003c 0.45.2.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.43.7.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.44.0-RC1, \u003c 1.44.6.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.45.0-RC1, \u003c 1.45.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-28T01:23:33.300Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"
        }
      ],
      "source": {
        "advisory": "GHSA-ch8f-hhq9-7gv5",
        "discovery": "UNKNOWN"
      },
      "title": "Metabase subject to Improper Privilege Management"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-23629",
    "datePublished": "2023-01-28T01:23:33.300Z",
    "dateReserved": "2023-01-16T17:07:46.245Z",
    "dateUpdated": "2024-08-02T10:35:33.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23629\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-28T02:15:07.900\",\"lastModified\":\"2023-11-07T04:07:50.620\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \\\"Subscriptions and Alerts\\\" permission for groups that have restricted data permissions, as a workaround.\\n\"},{\"lang\":\"es\",\"value\":\"Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a una gesti\u00f3n de privilegios inadecuada. Seg\u00fan lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripci\u00f3n. Esto permite que alguien con mayor acceso a los datos cree una suscripci\u00f3n al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripci\u00f3n reciban los mismos datos: los gr\u00e1ficos que se muestran en el correo electr\u00f3nico cumplir\u00e1n con los privilegios del usuario que cre\u00f3 la suscripci\u00f3n. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripci\u00f3n al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a m\u00e1s datos por correo electr\u00f3nico. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso \\\"Suscripciones y alertas\\\" para grupos que tienen permisos de datos restringidos, como workaround.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.43.7.1\",\"matchCriteriaId\":\"B739CE77-5465-4018-9A7D-EFE7E2C6912C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.44.0\",\"versionEndExcluding\":\"0.44.6.1\",\"matchCriteriaId\":\"DF00E09E-C915-4D5E-BF06-D52E044752C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.45.0\",\"versionEndExcluding\":\"0.45.2.1\",\"matchCriteriaId\":\"D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.43.7.1\",\"matchCriteriaId\":\"79CF2F09-CA1A-4A02-A529-8E879C011505\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.44.0\",\"versionEndExcluding\":\"1.44.6.1\",\"matchCriteriaId\":\"2A2796BF-3609-4633-9465-671B1A6BDF44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.45.0\",\"versionEndExcluding\":\"1.45.2.1\",\"matchCriteriaId\":\"79B81DBB-484A-466C-95B3-CD91F7390D31\"}]}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.