Nemanjaglumac
·
Published
2023-01-28
·
Updated
2023-02-06
·
CVE-2023-23628
5.7
Medium
| Base vector | Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Metabase versions prior to 0.43.7.1
Metabase versions prior to 1.43.7.1
Metabase versions prior to 0.44.6.1
Metabase versions prior to 1.44.6.1
Metabase versions prior to 0.45.2.1
Metabase versions prior to 1.45.2.1
Description:
Metabase is an open source data analytics platform. The issue concerns Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users should not be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription.
Recommendations:
For versions prior to 0.43.7.1, update to version 0.43.7.1 or later.
For versions prior to 1.43.7.1, update to version 1.43.7.1 or later.
For versions prior to 0.44.6.1, update to version 0.44.6.1 or later.
For versions prior to 1.44.6.1, update to version 1.44.6.1 or later.
For versions prior to 0.45.2.1, update to version 0.45.2.1 or later.
For versions prior to 1.45.2.1, update to version 1.45.2.1 or later.
Fix
Information Disclosure