CVE-2023-23629: 
NixOS vulnerability analysis and mitigation

Metabase, an open source data analytics platform, was found to contain a vulnerability (CVE-2023-23629) related to improper privilege management. The vulnerability was discovered and disclosed on January 27, 2023. The issue affects multiple versions of Metabase and allows users with lower privileges to bypass data access restrictions through dashboard subscriptions (NVD).

The vulnerability stems from a privilege management flaw in the dashboard subscription feature. While the intended functionality allows subscription creators to share dashboard data with recipients based on the creator's privileges, the vulnerability enables users with lower privileges to add themselves to dashboard subscriptions created by users with higher data privileges, thereby gaining unauthorized access to sensitive data via email. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive data to unauthorized users. Users with lower privileges can circumvent their data access restrictions by exploiting the dashboard subscription feature, allowing them to view data that should be restricted from their access level (NVD).

The vulnerability has been patched in versions 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, and 1.45.2.1. For Metabase instances running Enterprise Edition, administrators can implement a temporary workaround by disabling the 'Subscriptions and Alerts' permission for groups that have restricted data permissions (NVD).