Missing SQL permissions check in metabase
CVE-2023-32680

5.8MEDIUM

Key Information:

Vendor

Metabase

Status
Metabase
Vendor
CVE Published:
18 May 2023

What is CVE-2023-32680?

Metabase, an open-source business analytics engine, suffers from a critical access control vulnerability. The affected versions failed to enforce required group permissions for editing SQL snippets, allowing users—including those with restricted access in sandboxed groups—to manipulate SQL queries. This means that an unauthorized individual could alter a SQL snippet that controlled their data visibility, potentially gaining elevated access to sensitive information. It is recommended that users upgrade to the latest versions of Metabase or restrict SQL queries used in creating sandboxes to ensure security.

Affected Version(s)

metabase < 0.44.7 < 0.44.7

metabase >= 1.0.0, < 1.44.7 < 1.0.0, 1.44.7

metabase >= 0.45.0, < 0.45.4 < 0.45.0, 0.45.4

References

https://github.com/metabase/metabase/security/advisories/...
x_refsource_CONFIRM
https://github.com/metabase/metabase/pull/30852
x_refsource_MISC
https://github.com/metabase/metabase/pull/30853
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.