CVE-2023-23629

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23629
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23629.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-23629
Related
  • GHSA-ch8f-hhq9-7gv5
Published
2023-01-28T02:15:07Z
Modified
2025-02-14T11:42:13.371892Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. This issue is patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions, as a workaround.

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type
GIT
Repo
https://github.com/metabase/metabase
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
65326e42b476616286f7d4abcbce715138ff1aa4

Affected versions

0.*

0.10.3
0.34.0-rc1

Other

blah
v20150601-alpha
v20150603-alpha
v20150604-alpha

prettier-1.*

prettier-1.17.0-package

release-0.*

release-0.32.2

v0.*

v0.10.0
v0.10.3
v0.10.4
v0.10.4.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.12.0-test
v0.12.1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.17.0
v0.17.1
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.21.0
v0.21.0-rc2
v0.21.0-rc3
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.23.0.RC2
v0.23.0.RC3
v0.23.0.RC4
v0.23.1
v0.24.0
v0.24.0.RC1
v0.24.0.RC2
v0.24.0.RC3
v0.24.0.RC4
v0.24.1
v0.24.2
v0.25.0
v0.25.0.RC1
v0.25.0.RC2
v0.26.0
v0.26.0.RC1
v0.26.0.RC2
v0.26.1
v0.28.0
v0.28.0-RC
v0.28.0-RC2
v0.28.0-RC3
v0.28.0.RC1
v0.28.1
v0.29.0
v0.29.0-RC1
v0.29.1
v0.29.2
v0.29.3
v0.30.0
v0.30.0-rc
v0.30.1
v0.30.2
v0.30.3
v0.30.4
v0.31.0
v0.31.0-RC1
v0.31.1
v0.31.2
v0.32.0
v0.32.0-RC1
v0.32.0-RC2
v0.32.1
v0.32.2
v0.32.3
v0.32.4
v0.32.5
v0.32.6
v0.32.7
v0.32.8
v0.33.0
v0.33.0-RC1
v0.33.1
v0.33.2
v0.33.3
v0.33.4
v0.33.5
v0.33.5.1
v0.33.6
v0.33.7
v0.33.7.1
v0.33.7.2
v0.33.7.3
v0.34.0
v0.34.1
v0.34.1-rc-test
v0.34.2
v0.34.3
v0.35.0
v0.35.0-rc1
v0.35.0-rc2
v0.35.1
v0.35.2
v0.35.3
v0.35.4
v0.36.0
v0.36.0-rc1
v0.36.0-snapshot
v0.36.1
v0.36.2
v0.36.3
v0.36.4
v0.36.5
v0.36.5.1
v0.36.6
v0.36.7
v0.36.8
v0.36.8.1
v0.37.0
v0.37.0-rc2
v0.37.0.1
v0.37.0.2
v0.37.1
v0.37.2
v0.37.3
v0.37.4
v0.37.5
v0.37.6
v0.37.7
v0.37.8
v0.38.0
v0.38.0-preview
v0.38.0-rc1
v0.38.0-rc2
v0.38.0-rc3
v0.38.0-rc4
v0.38.0-rc5
v0.38.0.1
v0.38.1
v0.38.2
v0.38.3
v0.38.4
v0.39.0
v0.39.0-rc1
v0.39.0-rc2
v0.39.0.1
v0.39.1
v0.39.2
v0.39.3
v0.39.4
v0.40.0
v0.40.0-rc1-dan
v0.40.0-rc2
v0.41.0-RC1
v0.42.0-preview1
v0.43.0
v0.43.0-rc1
v0.43.0-rc2
v0.43.1
v0.43.2
v0.43.3
v0.43.4
v0.43.4.1
v0.43.4.2
v0.43.5
v0.43.6
v0.43.7
v0.9-final
v0.9.1
v0.9.2
v0.9.3

v1.*

v1.37.0.2
v1.37.1
v1.37.1.1
v1.37.1.2
v1.37.2
v1.37.3
v1.37.4
v1.37.5
v1.37.6
v1.37.7
v1.37.8
v1.38.0
v1.38.0.1
v1.38.1
v1.38.1-migration
v1.38.2
v1.38.3
v1.38.4
v1.39.0
v1.39.0.1
v1.39.1
v1.39.2
v1.39.3
v1.39.4
v1.40.0
v1.40.0-rc2
v1.41.0-RC1
v1.42.0-preview1
v1.42.0-rc2
v1.43.0
v1.43.0-rc1
v1.43.0-rc2
v1.43.1
v1.43.2
v1.43.3
v1.43.4
v1.43.4.1
v1.43.4.2
v1.43.5
v1.43.6
v1.43.7