Detections
Analytics

Metabase 0.43.x < 0.43.7.1 / 0.44.x < 0.44.6.1 / 0.45.x < 0.45.2.1 / 1.43.x < 1.43.7.1 / 1.44.x < 1.44.6.1 / 1.45.x < 1.45.2.1

medium Nessus Plugin ID 261773

Language:

Synopsis

The remote host is affected by a vulnerability.

Description

The version of Metabase installed on the remote host is affected by multiple vulnerabilities:
- An information disclosure exposure of sensitive information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. (CVE-2023-23628)

 - An access control exposure in that someone with greater access to data can create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data. The charts shown in the email would abide by the privileges of the user who created the subscription. The issue is users with fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email. (CVE-2023-23629)

 Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Metabase version 0.43.7.1, 0.44.6.1, 0.45.2.1, 1.43.7.1, 1.44.6.1, 1.45.2.1, or later.

See Also

http://www.nessus.org/u?afa2a6a8

http://www.nessus.org/u?a525dbcc

Plugin Details

Severity: Medium

ID: 261773

File Name: metabase_CVE-2023-23628.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 9/9/2025

Updated: 9/9/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-23628

CVSS v3

Risk Factor: Medium

Base Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/a:metabase:metabase

Required KB Items: installed_sw/Metabase

Patch Publication Date: 1/28/2023

Vulnerability Publication Date: 1/28/2023

Reference Information

CVE: CVE-2023-23628, CVE-2023-23629