Skip to main content

Metabase CVE-2023-32680

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2023-05-18 security-advisories@github.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
May 18, 2023 - 23:15 nvd
CRITICAL 9.6

DescriptionNVD

Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database-but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone-including people in sandboxed groups-could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets.

AnalysisAI

Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database-but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone-including people in sandboxed groups-could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets. Affected products include: Metabase.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Require authentication for all sensitive operations, implement defense in depth.

CVE-2023-38646 CRITICAL POC
9.8 Jul 21

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman

CVE-2021-41277 HIGH POC
7.5 Nov 17

Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2022-43776 MEDIUM POC
6.5 Oct 26

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For

CVE-2026-50148 CRITICAL
10.0 Jul 15

Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release

CVE-2023-37470 CRITICAL
9.8 Aug 04

Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulner

CVE-2022-24853 MEDIUM POC
5.3 Apr 14

Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-59827 HIGH
8.8 Jul 09

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run

CVE-2022-39362 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-39361 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-24854 HIGH
8.8 Apr 14

Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera

CVE-2026-27464 HIGH
7.7 Feb 21

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi

CVE-2026-50147 HIGH
7.6 Jul 15

Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat

Share

CVE-2023-32680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy