CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2023-37470 – Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
https://notcve.org/view.php?id=CVE-2023-37470
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. • https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 84%CPEs: 8EXPL: 30CVE-2023-38646 – Metabase 0.46.6 Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-38646
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. • https://github.com/robotmikhro/CVE-2023-38646 https://github.com/Pyr0sec/CVE-2023-38646 https://github.com/kh4sh3i/CVE-2023-38646 https://github.com/SUT0L/CVE-2023-38646 https://github.com/Red4mber/CVE-2023-38646 https://github.com/AnvithLobo/CVE-2023-38646 https://github.com/raytheon0x21/CVE-2023-38646 https://github.com/UserConnecting/Exploit-CVE-2023-38646-Metabase https://github.com/j0yb0y0h/CVE-2023-38646 https://github.com/xchg-rax-rax/CVE-2023-38646 https://g •
CVSS: 9.6EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32680 – Missing SQL permissions check in metabase
https://notcve.org/view.php?id=CVE-2023-32680
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. • https://github.com/metabase/metabase/pull/30852 https://github.com/metabase/metabase/pull/30853 https://github.com/metabase/metabase/pull/30854 https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23629 – Metabase subject to Improper Privilege Management
https://notcve.org/view.php?id=CVE-2023-23629
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. • https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-269: Improper Privilege Management •
CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23628 – Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2023-23628
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. • https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •