CVE-2023-32680

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-32680

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32680.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-32680

Aliases

GHSA-mw6j-f894-4qxv

Published

2023-05-18T22:55:30.636Z

Modified

2025-11-29T07:31:02.207273Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Missing SQL permissions check in metabase

Details

Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32680.json"
}

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

Fixed

da9213758912b8033c1e2d9fb8334ff58edc49ca

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.44.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

4e41d7624d33a28d40e4aff577124189e70acbc3

Fixed

0d55594e09077b5de54e54d39ecb6f5139c0359e

Database specific

{
    "versions": [
        {
            "introduced": "0.45.0"
        },
        {
            "fixed": "0.45.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/metabase/metabase

Events

Introduced

0ca7df376a56669965cad963b919ae63f5bef973

Fixed

8d74de2ed3a76c96995b335e20fa1434473962e2

Database specific

{
    "versions": [
        {
            "introduced": "0.46.0"
        },
        {
            "fixed": "0.46.3"
        }
    ]
}

Affected versions

0.*

0.10.3

0.34.0-rc1

Other

blah

v20150601-alpha

v20150603-alpha

v20150604-alpha

prettier-1.*

prettier-1.17.0-package

release-0.*

release-0.32.2

v0.*

v0.10.0

v0.10.3

v0.10.4

v0.10.4.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.0-test

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.19.3

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.0-rc2

v0.21.0-rc3

v0.21.1

v0.22.0

v0.22.1

v0.23.0

v0.23.0.RC2

v0.23.0.RC3

v0.23.0.RC4

v0.23.1

v0.24.0

v0.24.0.RC1

v0.24.0.RC2

v0.24.0.RC3

v0.24.0.RC4

v0.24.1

v0.24.2

v0.25.0

v0.25.0.RC1

v0.25.0.RC2

v0.26.0

v0.26.0.RC1

v0.26.0.RC2

v0.26.1

v0.28.0

v0.28.0-RC

v0.28.0-RC2

v0.28.0-RC3

v0.28.0.RC1

v0.28.1

v0.29.0

v0.29.0-RC1

v0.29.1

v0.29.2

v0.29.3

v0.30.0

v0.30.0-rc

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.31.0

v0.31.0-RC1

v0.31.1

v0.31.2

v0.32.0

v0.32.0-RC1

v0.32.0-RC2

v0.32.1

v0.32.2

v0.32.3

v0.32.4

v0.32.5

v0.32.6

v0.32.7

v0.32.8

v0.33.0

v0.33.0-RC1

v0.33.1

v0.33.2

v0.33.3

v0.33.4

v0.33.5

v0.33.5.1

v0.33.6

v0.33.7

v0.33.7.1

v0.33.7.2

v0.33.7.3

v0.34.0

v0.34.1

v0.34.1-rc-test

v0.34.2

v0.34.3

v0.35.0

v0.35.0-rc1

v0.35.0-rc2

v0.35.1

v0.35.2

v0.35.3

v0.35.4

v0.36.0

v0.36.0-rc1

v0.36.0-snapshot

v0.36.1

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.36.5.1

v0.36.6

v0.36.7

v0.36.8

v0.36.8.1

v0.37.0

v0.37.0-rc2

v0.37.0.1

v0.37.0.2

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.37.6

v0.37.7

v0.37.8

v0.38.0

v0.38.0-preview

v0.38.0-rc1

v0.38.0-rc2

v0.38.0-rc3

v0.38.0-rc4

v0.38.0-rc5

v0.38.0.1

v0.38.1

v0.38.2

v0.38.3

v0.38.4

v0.39.0

v0.39.0-rc1

v0.39.0-rc2

v0.39.0.1

v0.39.1

v0.39.2

v0.39.3

v0.39.4

v0.40.0

v0.40.0-rc1-dan

v0.40.0-rc2

v0.41.0-RC1

v0.42.0-preview1

v0.43.0-rc1

v0.44.0

v0.44.0-RC1

v0.44.0-RC2

v0.44.0-RC3

v0.44.1

v0.44.2

v0.44.3

v0.44.4

v0.44.5

v0.44.6

v0.44.6.1

v0.45.0

v0.45.1

v0.45.2

v0.45.3

v0.45.3.1

v0.46.0

v0.46.1

v0.46.2

v0.9-final

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.37.0.2

v1.37.1

v1.37.1.1

v1.37.1.2

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.37.7

v1.37.8

v1.38.0

v1.38.0.1

v1.38.1

v1.38.1-migration

v1.38.2

v1.38.3

v1.38.4

v1.39.0

v1.39.0.1

v1.39.1

v1.39.2

v1.39.3

v1.39.4

v1.40.0

v1.40.0-rc2

v1.41.0-RC1

v1.42.0-preview1

v1.42.0-rc2

v1.43.0-rc1

v1.44.0

v1.44.0-RC1

v1.44.0-RC2

v1.44.0-RC3

v1.44.1

v1.44.2

v1.44.3

v1.44.4

v1.44.5

v1.44.6

v1.44.6.1

v1.45.0

v1.45.1

v1.45.2

v1.45.3

v1.45.3.1

v1.46.0

v1.46.1

v1.46.2