CVE-2023-23629

Metabase subject to Improper Privilege Management

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.

Metabase es una plataforma de análisis de datos de código abierto. Las versiones afectadas están sujetas a una gestión de privilegios inadecuada. Según lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripción. Esto permite que alguien con mayor acceso a los datos cree una suscripción al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripción reciban los mismos datos: los gráficos que se muestran en el correo electrónico cumplirán con los privilegios del usuario que creó la suscripción. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripción al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a más datos por correo electrónico. Este problema se solucionó en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso "Suscripciones y alertas" para grupos que tienen permisos de datos restringidos, como workaround.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-16 CVE Reserved
2023-01-28 CVE Published
2024-08-02 CVE Updated
2024-08-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-269: Improper Privilege Management

CAPEC

References (1)

URL	Tag	Source
https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				< 0.43.7.1 Search vendor "Metabase" for product "Metabase" and version " < 0.43.7.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				>= 0.44.0 < 0.44.6.1 Search vendor "Metabase" for product "Metabase" and version " >= 0.44.0 < 0.44.6.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				>= 0.45.0 < 0.45.2.1 Search vendor "Metabase" for product "Metabase" and version " >= 0.45.0 < 0.45.2.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				>= 1.0.0 < 1.43.7.1 Search vendor "Metabase" for product "Metabase" and version " >= 1.0.0 < 1.43.7.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				>= 1.44.0 < 1.44.6.1 Search vendor "Metabase" for product "Metabase" and version " >= 1.44.0 < 1.44.6.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				>= 1.45.0 < 1.45.2.1 Search vendor "Metabase" for product "Metabase" and version " >= 1.45.0 < 1.45.2.1"		-		Affected