Metabase 0.43.x < 0.43.7.1 / 0.44.x < 0.44.6.1 / 0.45.x < 0.45.2.1 / 1.43.x < 1.43.7.1 / 1.44.x < 1.44.6.1 / 1.45.x < 1.45.2.1

#%NASL_MIN_LEVEL 80900
##
# Tenable, Inc.
## 
include('compat.inc');

if (description)
{
  script_id(261773);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/09");

  script_name(english:"Metabase 0.43.x < 0.43.7.1 / 0.44.x < 0.44.6.1 / 0.45.x < 0.45.2.1 / 1.43.x < 1.43.7.1 / 1.44.x < 1.44.6.1 / 1.45.x < 1.45.2.1");
  script_cve_id("CVE-2023-23628", "CVE-2023-23629");
  script_cwe_id("CWE-200","CWE-269"); 
  
  script_set_attribute(attribute:"synopsis", value:
  "The remote host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
  "The version of Metabase installed on the remote host is affected by multiple vulnerabilities: 
  
    - An information disclosure exposure of sensitive information to an Unauthorized Actor. Sandboxed users 
      shouldn't be able to view data about other Metabase users anywhere in the Metabase application. 
      However, when a sandbox user views the settings for a dashboard subscription, and another user has 
      added users to that subscription, the sandboxed user is able to view the list of recipients for that 
      subscription. (CVE-2023-23628)

    - An access control exposure in that someone with greater access to data can create a dashboard subscription, 
      add people with fewer data privileges, and all recipients of that subscription receive the same data. The charts
      shown in the email would abide by the privileges of the user who created the subscription. The issue is users with 
      fewer privileges who can view a dashboard are able to add themselves to a dashboard subscription created by 
      someone with additional data privileges, and thus get access to more data via email. (CVE-2023-23629)

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.");
  # https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afa2a6a8");
  # https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a525dbcc");
  script_set_attribute(attribute:"solution", value:
  "Upgrade to Metabase version 0.43.7.1, 0.44.6.1, 0.45.2.1, 1.43.7.1, 1.44.6.1, 1.45.2.1, or later.");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:metabase:metabase");

  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-23628");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_dependencies("metabase_detect.nbin");
  script_require_keys("installed_sw/Metabase");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::get_app_info(app:'Metabase');

var constraints = [
    { 'min_version':'0.43', 'fixed_version':'0.43.7.1' },
    { 'min_version':'0.44', 'fixed_version':'0.44.6.1' },
    { 'min_version':'0.45', 'fixed_version':'0.45.2.1' },
    { 'min_version':'1.43', 'fixed_version':'1.43.7.1' },
    { 'min_version':'1.44', 'fixed_version':'1.44.6.1' },
    { 'min_version':'1.45', 'fixed_version':'1.45.2.1' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);