cve-2025-27141
Vulnerability from cvelistv5
Published
2025-02-24 22:05
Modified
2025-02-25 14:31
Severity ?
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.
References
security-advisories@github.comhttps://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p
security-advisories@github.comhttps://www.metabase.com/docs/latest/configuring-metabase/caching
security-advisories@github.comhttps://www.metabase.com/docs/latest/permissions/impersonation
Impacted products
Vendor Product Version
metabase metabase Version: >= 1.47.0, < 1.50.36
Version: >= 1.51.0, < 1.51.14
Version: >= 1.52.0, < 1.51.11
Version: >= 1.53.0, < 1.53.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:31:15.032552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:31:28.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "metabase",
          "vendor": "metabase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.47.0, \u003c 1.50.36"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.51.0, \u003c 1.51.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.52.0, \u003c 1.51.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.53.0, \u003c 1.53.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-24T22:05:14.188Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p"
        },
        {
          "name": "https://www.metabase.com/docs/latest/configuring-metabase/caching",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.metabase.com/docs/latest/configuring-metabase/caching"
        },
        {
          "name": "https://www.metabase.com/docs/latest/permissions/impersonation",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.metabase.com/docs/latest/permissions/impersonation"
        }
      ],
      "source": {
        "advisory": "GHSA-6cc4-h534-xh5p",
        "discovery": "UNKNOWN"
      },
      "title": "Metabase Enterprise Edition allows cached questions to leak data to impersonated users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27141",
    "datePublished": "2025-02-24T22:05:14.188Z",
    "dateReserved": "2025-02-19T16:30:47.777Z",
    "dateUpdated": "2025-02-25T14:31:28.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27141\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-24T22:15:23.077\",\"lastModified\":\"2025-02-24T22:15:23.077\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"LOW\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"references\":[{\"url\":\"https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.metabase.com/docs/latest/configuring-metabase/caching\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.metabase.com/docs/latest/permissions/impersonation\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Metabase Enterprise Edition allows cached questions to leak data to impersonated users\", \"source\": {\"advisory\": \"GHSA-6cc4-h534-xh5p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"metabase\", \"product\": \"metabase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.47.0, \u003c 1.50.36\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.51.0, \u003c 1.51.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.52.0, \u003c 1.51.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.53.0, \u003c 1.53.2\"}]}], \"references\": [{\"url\": \"https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p\", \"name\": \"https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://www.metabase.com/docs/latest/configuring-metabase/caching\", \"name\": \"https://www.metabase.com/docs/latest/configuring-metabase/caching\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.metabase.com/docs/latest/permissions/impersonation\", \"name\": \"https://www.metabase.com/docs/latest/permissions/impersonation\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don\\u2019t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732: Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-24T22:05:14.188Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27141\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:31:15.032552Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-02-25T14:31:24.532Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27141\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-24T22:05:14.188Z\", \"dateReserved\": \"2025-02-19T16:30:47.777Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-24T22:05:14.188Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.