CVE-2023-23628

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.43.7.1 Metabase versions prior to 1.43.7.1 Metabase versions prior to 0.44.6.1 Metabase versions prior to 1.44.6.1 Metabase versions prior to 0.45.2.1 Metabase versions prior to 1.45.2.1

Description Metabase is an open source data analytics platform. The issue concerns Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users should not be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription.

Recommendations For versions prior to 0.43.7.1, update to version 0.43.7.1 or later. For versions prior to 1.43.7.1, update to version 1.43.7.1 or later. For versions prior to 0.44.6.1, update to version 0.44.6.1 or later. For versions prior to 1.44.6.1, update to version 1.44.6.1 or later. For versions prior to 0.45.2.1, update to version 0.45.2.1 or later. For versions prior to 1.45.2.1, update to version 1.45.2.1 or later.