CVE-2023-32680 (GCVE-0-2023-32680)
Vulnerability from cvelistv5 – Published: 2023-05-18 22:55 – Updated: 2025-02-12 16:38
VLAI?
Summary
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.
Severity ?
5.8 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T19:09:31.091603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:38:47.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "metabase",
"vendor": "metabase",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.7"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.44.7"
},
{
"status": "affected",
"version": "\u003e= 0.45.0, \u003c 0.45.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.45.4"
},
{
"status": "affected",
"version": "\u003e= 0.46.0, \u003c 0.46.3"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.46.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T22:55:30.636Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv"
},
{
"name": "https://github.com/metabase/metabase/pull/30852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30852"
},
{
"name": "https://github.com/metabase/metabase/pull/30853",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30853"
},
{
"name": "https://github.com/metabase/metabase/pull/30854",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metabase/metabase/pull/30854"
}
],
"source": {
"advisory": "GHSA-mw6j-f894-4qxv",
"discovery": "UNKNOWN"
},
"title": "Missing SQL permissions check in metabase"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32680",
"datePublished": "2023-05-18T22:55:30.636Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:38:47.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.44.7\", \"matchCriteriaId\": \"224A57A1-0426-402D-B2AB-A7909F995D27\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.45.0\", \"versionEndExcluding\": \"0.45.4\", \"matchCriteriaId\": \"426C2FA2-C43E-4E09-8995-26E4E8254C9C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.46.0\", \"versionEndExcluding\": \"0.46.3\", \"matchCriteriaId\": \"6D569869-9451-48ED-8C82-CFC560A830E5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.0.0\", \"versionEndExcluding\": \"1.44.7\", \"matchCriteriaId\": \"6024329D-A315-45C7-BE88-9AE30787DACE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.45.0\", \"versionEndExcluding\": \"1.45.4\", \"matchCriteriaId\": \"7C8547BD-E4C3-45EB-9294-A9CDF88303EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.46.0\", \"versionEndExcluding\": \"1.46.3\", \"matchCriteriaId\": \"A3A7E247-05AE-43A6-A924-CB6B62679CD7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\\u2013including people in sandboxed groups\\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.\"}]",
"id": "CVE-2023-32680",
"lastModified": "2024-11-21T08:03:50.250",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 5.8}]}",
"published": "2023-05-18T23:15:09.783",
"references": "[{\"url\": \"https://github.com/metabase/metabase/pull/30852\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30853\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30854\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30852\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30853\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30854\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-32680\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-18T23:15:09.783\",\"lastModified\":\"2024-11-21T08:03:50.250\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\u2013including people in sandboxed groups\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.44.7\",\"matchCriteriaId\":\"224A57A1-0426-402D-B2AB-A7909F995D27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.45.0\",\"versionEndExcluding\":\"0.45.4\",\"matchCriteriaId\":\"426C2FA2-C43E-4E09-8995-26E4E8254C9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.46.0\",\"versionEndExcluding\":\"0.46.3\",\"matchCriteriaId\":\"6D569869-9451-48ED-8C82-CFC560A830E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.44.7\",\"matchCriteriaId\":\"6024329D-A315-45C7-BE88-9AE30787DACE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.45.0\",\"versionEndExcluding\":\"1.45.4\",\"matchCriteriaId\":\"7C8547BD-E4C3-45EB-9294-A9CDF88303EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.46.0\",\"versionEndExcluding\":\"1.46.3\",\"matchCriteriaId\":\"A3A7E247-05AE-43A6-A924-CB6B62679CD7\"}]}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/pull/30852\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/pull/30853\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/pull/30854\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/metabase/metabase/pull/30852\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/pull/30853\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/pull/30854\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30852\", \"name\": \"https://github.com/metabase/metabase/pull/30852\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30853\", \"name\": \"https://github.com/metabase/metabase/pull/30853\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30854\", \"name\": \"https://github.com/metabase/metabase/pull/30854\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:25:36.349Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32680\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-21T19:09:31.091603Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T16:38:43.216Z\"}}], \"cna\": {\"title\": \"Missing SQL permissions check in metabase\", \"source\": {\"advisory\": \"GHSA-mw6j-f894-4qxv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"metabase\", \"product\": \"metabase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.44.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.44.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.45.0, \u003c 0.45.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.45.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.46.0, \u003c 0.46.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.46.3\"}]}], \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30852\", \"name\": \"https://github.com/metabase/metabase/pull/30852\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30853\", \"name\": \"https://github.com/metabase/metabase/pull/30853\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/metabase/metabase/pull/30854\", \"name\": \"https://github.com/metabase/metabase/pull/30854\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database\\u2013but affected versions of Metabase didn\u0027t enforce that requirement. This lack of enforcement meant that: Anyone\\u2013including people in sandboxed groups\\u2013could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-05-18T22:55:30.636Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-32680\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T16:38:47.023Z\", \"dateReserved\": \"2023-05-11T16:33:45.731Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-18T22:55:30.636Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…