Perivamsipublished

**Name of the Vulnerable Software and Affected Versions** Metabase Enterprise Edition versions 1.47.0 through 1.49.x Metabase Enterprise Edition versions 1.50.0 through 1.50.35 Metabase Enterprise Edition versions 1.51.0 through 1.51.13 Metabase Enterprise Edition versions 1.52.0 through 1.52.10 **Description** The issue allows users with impersonation permissions to see results of cached questions, even if their permissions don’t allow them to see the data. This occurs when an impersonated user runs a question that was previously run by another user, resulting in the impersonated user seeing the same results as the previous user. These cached results may include data the impersonated user should not have access to. **Recommendations** For Metabase Enterprise Edition versions 1.47.0 through 1.49.x, upgrade to a major version with an available fix. For Metabase Enterprise Edition versions 1.50.0 through 1.50.35, upgrade to version 1.50.36 or later. For Metabase Enterprise Edition versions 1.51.0 through 1.51.13, upgrade to version 1.51.14 or later. For Metabase Enterprise Edition versions 1.52.0 through 1.52.10, upgrade to version 1.52.11 or later. As a temporary workaround, consider disabling question caching to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Metabase versions 1.52.0 through 1.52.2.4 **Description** Metabase is an open-source data analytics platform. For new sandboxing configurations created in the specified versions, sandboxed users are able to see field filter values from other sandboxed users. This issue is fixed in version 1.52.2.5. **Recommendations** For versions 1.52.0, 1.52.1, and 1.5.2, upgrade to version 1.52.2.5 to resolve the issue. For versions prior to 1.52.2.5, upgrade to version 1.52.2.5 to resolve the issue. At the moment, there is no information about other workarounds for this issue apart from upgrading to version 1.52.2.5.