漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE
Vulnerability Description
Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
CWE-1336
Vulnerability Title
Metabase 安全漏洞
Vulnerability Description
Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase 0.57.13之前版本和0.58.6及之前版本存在安全漏洞,该漏洞源于模板评估不当,可能导致低权限用户提取数据库凭据等敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A