PT-2025-15995 · Metabase · Metabase
Perivamsipu
·
Published
2025-04-10
·
Updated
2025-04-10
·
CVE-2025-32382
CVSS v4.0
1.8
Low
| Vector | AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions:
Metabase versions prior to 52.17.1
Metabase versions prior to 53.9.5
Metabase versions prior to 54.1.5
Description:
The issue arises when administrators change Snowflake connection details in Metabase, such as updating a password or switching between password and private key authentication. In these cases, Metabase may not always remove older connection details from its application database. As Metabase attempts to establish a connection using different methods, it logs successful connections, which can include printing the username and password to the logger. This poses a security risk as sensitive credentials are exposed in the logs.
Recommendations:
For versions prior to 52.17.1, update to version 52.17.1 or later to resolve the issue.
For versions prior to 53.9.5, update to version 53.9.5 or later to resolve the issue.
For versions prior to 54.1.5, update to version 54.1.5 or later to resolve the issue.
Exploit
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metabase