PT-2023-23956 · Metabase · Metabase
Nemanjaglumac
·
Publicado
2023-05-18
·
Atualizado
2023-05-26
·
CVE-2023-32680
CVSS v3.1
5.8
Média
| Vetor | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Metabase versions prior to 0.44.7
Metabase versions prior to 0.45.4
Metabase versions prior to 0.46.3
Metabase versions prior to 1.44.7
Metabase versions prior to 1.45.4
Metabase versions prior to 1.46.3
Description
Metabase is an open source business analytics engine. The issue arises from the lack of enforcement of a requirement that users should be in at least one group with native query editing permissions to a database to edit SQL Snippets. This meant that anyone, including people in sandboxed groups, could edit SQL snippets via the API or the application UI. If a snippet contained logic that restricted data access, editing it could potentially change a person's level of data access.
Recommendations
For Metabase versions prior to 0.44.7, upgrade to version 0.44.7 or later.
For Metabase versions prior to 0.45.4, upgrade to version 0.45.4 or later.
For Metabase versions prior to 0.46.3, upgrade to version 0.46.3 or later.
For Metabase versions prior to 1.44.7, upgrade to version 1.44.7 or later.
For Metabase versions prior to 1.45.4, upgrade to version 1.45.4 or later.
For Metabase versions prior to 1.46.3, upgrade to version 1.46.3 or later.
For users unable to upgrade, ensure that SQL queries used to create sandboxes exclude SQL snippets.
Exploit
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Metabase