CVE-2023-23629

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.43.7.1 Metabase versions prior to 1.43.7.1 Metabase versions prior to 0.44.6.1 Metabase versions prior to 1.44.6.1 Metabase versions prior to 0.45.2.1 Metabase versions prior to 1.45.2.1

Description The issue is related to Improper Privilege Management in Metabase, an open source data analytics platform. Users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This occurs because recipients of dashboard subscriptions can view the data as seen by the creator of that subscription.

Recommendations For versions prior to 0.43.7.1, update to version 0.43.7.1 or later. For versions prior to 1.43.7.1, update to version 1.43.7.1 or later. For versions prior to 0.44.6.1, update to version 0.44.6.1 or later. For versions prior to 1.44.6.1, update to version 1.44.6.1 or later. For versions prior to 0.45.2.1, update to version 0.45.2.1 or later. For versions prior to 1.45.2.1, update to version 1.45.2.1 or later. As a temporary workaround for Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions.