CVE-2024-55951

Vulnerability

Overview

CVE-2024-55951 is an information disclosure vulnerability in Metabase, an open-source data analytics platform. The flaw affects sandboxing configurations created between versions 1.52.0 and 1.52.2.4. In these versions, when a sandboxed user interacts with field filters, the values they see are inadvertently exposed to other sandboxed users, breaking the intended data isolation.

Exploitation

Details

The attack surface is limited to environments where Metabase's sandboxing feature is used to restrict data access for different user groups. An attacker must be an authenticated, sandboxed user within the same Metabase instance. By interacting with field filters during query building or dashboard viewing, the attacker may observe field filter values that belong to other sandboxed users, revealing data intended to be hidden.

Impact

A successful exploit allows a sandboxed user to see field filter values (e.g., customer names, regions, or other segmented data) from other sandboxed users. This violates the data-access segmentation that sandboxing is designed to enforce, potentially exposing sensitive information to unauthorized parties within the organization.

Mitigation

The issue is fixed in Metabase version 1.52.2.5. According to the advisory, no workarounds exist apart from upgrading to the patched version. Users running 1.52.0, 1.52.1, or 1.52.2.x (prior to the fix) should upgrade immediately. Docker users can pull the updated image tags as listed in the official Docker Hub repository [1].