CVE-2023-23629

Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:46

Type Values Removed Values Added
Summary
  • (es) Metabase es una plataforma de análisis de datos de código abierto. Las versiones afectadas están sujetas a una gestión de privilegios inadecuada. Según lo previsto, los destinatarios de las suscripciones a paneles pueden ver los datos tal como los ve el creador de esa suscripción. Esto permite que alguien con mayor acceso a los datos cree una suscripción al panel, agregue personas con menos privilegios de datos y todos los destinatarios de esa suscripción reciban los mismos datos: los gráficos que se muestran en el correo electrónico cumplirán con los privilegios del usuario que creó la suscripción. . El problema es que los usuarios con menos privilegios que pueden ver un panel pueden agregarse a una suscripción al panel creada por alguien con privilegios de datos adicionales y, por lo tanto, obtener acceso a más datos por correo electrónico. Este problema se solucionó en las versiones 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1 y 1.45.2.1. En instancias de Metabase que ejecutan Enterprise Edition, los administradores pueden desactivar el permiso "Suscripciones y alertas" para grupos que tienen permisos de datos restringidos, como workaround.
References () https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5 - Third Party Advisory () https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5 - Third Party Advisory

07 Nov 2023, 04:07

Type Values Removed Values Added
Summary Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround. Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.

Information

Published : 2023-01-28 02:15

Updated : 2024-11-21 07:46


NVD link : CVE-2023-23629

Mitre link : CVE-2023-23629

CVE.ORG link : CVE-2023-23629


JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-269

Improper Privilege Management