CVE-2023-23628
MEDIUMMetabase < 0.43.7.1 - Unauthorized Exposure of Dashboard Subscription Recipients
Title source: llmDescription
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. There are no workarounds.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv
Scores
CVSS v3
5.7
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
metabase/metabase
< 0.43.7.1
Published
Jan 28, 2023
Tracked Since
Feb 18, 2026