Metabase Sensitive Information Disclosure Vulnerability Allowing Database Credential Extraction

A vulnerability exists in Metabase, an open-source data analytics platform, in versions prior to 0.57.13 and in the 0.58.x series up to 0.58.6. Authenticated users can exploit this vulnerability to access sensitive information from the Metabase instance, including database access credentials. This is achieved by sending a specific template through the notifications endpoint, which is then evaluated server-side. The rendered output, containing the extracted credentials, is included in the email body. This issue has been addressed in Metabase versions 0.57.13 and 0.58.7.

Impact

Exploitation of this vulnerability allows low-privileged users to retrieve sensitive information, such as database credentials, from the Metabase instance. The extracted information is sent via email, using a template evaluation feature that can be manipulated to include the confidential data.

Remediation

Users can upgrade to Metabase versions 0.57.13 or 0.58.7. For Metabase Enterprise users, versions 1.57.13 and 1.58.7 are available. Instructions for downloading the JAR files or using the Docker images for these versions can be found in the Metabase release notes. As an additional step, users can temporarily disable notifications in their Metabase instance to prevent access to the vulnerable endpoints.