CVE-2025-27141 (GCVE-0-2025-27141)

Vulnerability from cvelistv5 – Published: 2025-02-24 22:05 – Updated: 2025-02-25 14:31
VLAI?
Title
Metabase Enterprise Edition allows cached questions to leak data to impersonated users
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
Severity ?
4.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
Impacted products
Vendor Product Version
metabase metabase Affected: >= 1.47.0, < 1.50.36
Affected: >= 1.51.0, < 1.51.14
Affected: >= 1.52.0, < 1.51.11
Affected: >= 1.53.0, < 1.53.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:31:15.032552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:31:28.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "metabase",
          "vendor": "metabase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.47.0, \u003c 1.50.36"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.51.0, \u003c 1.51.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.52.0, \u003c 1.51.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.53.0, \u003c 1.53.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-24T22:05:14.188Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
        },
        {
          "name": "https://www.metabase.com/docs/latest/configuring-metabase/caching",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
        },
        {
          "name": "https://www.metabase.com/docs/latest/permissions/impersonation",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.metabase.com/docs/latest/permissions/impersonation"
        }
      ],
      "source": {
        "advisory": "GHSA-6cc4-h534-xh5p",
        "discovery": "UNKNOWN"
      },
      "title": "Metabase Enterprise Edition allows cached questions to leak data to impersonated users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27141",
    "datePublished": "2025-02-24T22:05:14.188Z",
    "dateReserved": "2025-02-19T16:30:47.777Z",
    "dateUpdated": "2025-02-25T14:31:28.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27141\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:31:15.032552Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:31:24.532Z\"}}], \"cna\": {\"title\": \"Metabase Enterprise Edition allows cached questions to leak data to impersonated users\", \"source\": {\"advisory\": \"GHSA-6cc4-h534-xh5p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"metabase\", \"product\": \"metabase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.47.0, \u003c 1.50.36\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.51.0, \u003c 1.51.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.52.0, \u003c 1.51.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.53.0, \u003c 1.53.2\"}]}], \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://www.metabase.com/docs/latest/configuring-metabase/caching\", \"name\": \"https://www.metabase.com/docs/latest/configuring-metabase/caching\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.metabase.com/docs/latest/permissions/impersonation\", \"name\": \"https://www.metabase.com/docs/latest/permissions/impersonation\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732: Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-24T22:05:14.188Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27141\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T14:31:28.020Z\", \"dateReserved\": \"2025-02-19T16:30:47.777Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-24T22:05:14.188Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.