PT-2023-23956 · Metabase · Metabase

Nemanjaglumac

·

Published

2023-05-18

·

Updated

2023-05-26

·

CVE-2023-32680

CVSS v3.1

5.8

Medium

VectorAV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.44.7 Metabase versions prior to 0.45.4 Metabase versions prior to 0.46.3 Metabase versions prior to 1.44.7 Metabase versions prior to 1.45.4 Metabase versions prior to 1.46.3
Description Metabase is an open source business analytics engine. The issue arises from the lack of enforcement of a requirement that users should be in at least one group with native query editing permissions to a database to edit SQL Snippets. This meant that anyone, including people in sandboxed groups, could edit SQL snippets via the API or the application UI. If a snippet contained logic that restricted data access, editing it could potentially change a person's level of data access.
Recommendations For Metabase versions prior to 0.44.7, upgrade to version 0.44.7 or later. For Metabase versions prior to 0.45.4, upgrade to version 0.45.4 or later. For Metabase versions prior to 0.46.3, upgrade to version 0.46.3 or later. For Metabase versions prior to 1.44.7, upgrade to version 1.44.7 or later. For Metabase versions prior to 1.45.4, upgrade to version 1.45.4 or later. For Metabase versions prior to 1.46.3, upgrade to version 1.46.3 or later. For users unable to upgrade, ensure that SQL queries used to create sandboxes exclude SQL snippets.

Exploit

Fix

Missing Authentication

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2023-32680
GHSA-MW6J-F894-4QXV

Affected Products

Metabase