CVE-2023-23629 - OpenCVE

Vendors	Products
Metabase	Metabase

Link	Providers
https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23629", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.245Z", "datePublished": "2023-01-28T01:23:33.300Z", "dateUpdated": "2024-08-02T10:35:33.616Z"}, "containers": {"cna": {"title": "Metabase subject to Improper Privilege Management", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"}], "affected": [{"vendor": "metabase", "product": "metabase", "versions": [{"version": "< 0.43.7.1", "status": "affected"}, {"version": ">= 0.44.0-RC1, < 0.44.6.1", "status": "affected"}, {"version": ">= 0.45.0-RC1, < 0.45.2.1", "status": "affected"}, {"version": ">= 1.0.0, < 1.43.7.1", "status": "affected"}, {"version": ">= 1.44.0-RC1, < 1.44.6.1", "status": "affected"}, {"version": ">= 1.45.0-RC1, < 1.45.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-28T01:23:33.300Z"}, "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"}], "source": {"advisory": "GHSA-ch8f-hhq9-7gv5", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.616Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "B739CE77-5465-4018-9A7D-EFE7E2C6912C", "versionEndExcluding": "0.43.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF00E09E-C915-4D5E-BF06-D52E044752C5", "versionEndExcluding": "0.44.6.1", "versionStartIncluding": "0.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4A024C8-A76F-4D31-ACAF-E47E19BC5FE3", "versionEndExcluding": "0.45.2.1", "versionStartIncluding": "0.45.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CF2F09-CA1A-4A02-A529-8E879C011505", "versionEndExcluding": "1.43.7.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A2796BF-3609-4633-9465-671B1A6BDF44", "versionEndExcluding": "1.44.6.1", "versionStartIncluding": "1.44.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*", "matchCriteriaId": "79B81DBB-484A-466C-95B3-CD91F7390D31", "versionEndExcluding": "1.45.2.1", "versionStartIncluding": "1.45.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the \"Subscriptions and Alerts\" permission for groups that have restricted data permissions, as a workaround.\n"}, {"lang": "es", "value": "Metabase es una plataforma de an\u00e1lisis de datos de c\u00f3digo abierto. Las versiones afectadas est\u00e1n sujetas a una gesti\u00f3n de privilegios inadecuada. Seg\u00fan lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripci\u00f3n. Esto permite que alguien con mayor acceso a los datos cree una suscripci\u00f3n al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripci\u00f3n reciban los mismos datos: los gr\u00e1ficos que se muestran en el correo electr\u00f3nico cumplir\u00e1n con los privilegios del usuario que cre\u00f3 la suscripci\u00f3n. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripci\u00f3n al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a m\u00e1s datos por correo electr\u00f3nico. Este problema se solucion\u00f3 en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso \"Suscripciones y alertas\" para grupos que tienen permisos de datos restringidos, como workaround."}], "id": "CVE-2023-23629", "lastModified": "2023-11-07T04:07:50.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-28T02:15:07.900", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object