{"id":"CVE-2024-55951","summary":"Metabase sandboxed users could see filter values from other sandboxed users","details":"Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading.","aliases":["GHSA-rhjf-q2qw-rvx3"],"modified":"2026-04-10T05:19:33.382530Z","published":"2024-12-16T20:03:54.861Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55951.json","cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://downloads.metabase.com/v0.52.2.5/metabase.jar"},{"type":"WEB","url":"https://hub.docker.com/r/metabase/metabase/tags"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55951.json"},{"type":"ADVISORY","url":"https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55951"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"0"},{"fixed":"4e625d8a4bd46c950b7f9b747bf812cb22b59a9f"}],"database_specific":{"versions":[{"introduced":"1.52.0"},{"fixed":"1.52.2.5"}]}}],"versions":["0.10.3","0.34.0-rc1","blah","embedding-sdk-0.1.0","embedding-sdk-0.1.10","embedding-sdk-0.1.11","embedding-sdk-0.1.12","embedding-sdk-0.1.13","embedding-sdk-0.1.14","embedding-sdk-0.1.15","embedding-sdk-0.1.16","embedding-sdk-0.1.17","embedding-sdk-0.1.18","embedding-sdk-0.1.19","embedding-sdk-0.1.2","embedding-sdk-0.1.20","embedding-sdk-0.1.21","embedding-sdk-0.1.22","embedding-sdk-0.1.23","embedding-sdk-0.1.24","embedding-sdk-0.1.25","embedding-sdk-0.1.26","embedding-sdk-0.1.27","embedding-sdk-0.1.28","embedding-sdk-0.1.29","embedding-sdk-0.1.30","embedding-sdk-0.1.31","embedding-sdk-0.1.32","embedding-sdk-0.1.33","embedding-sdk-0.1.34","embedding-sdk-0.1.35","embedding-sdk-0.1.36","embedding-sdk-0.1.37","embedding-sdk-0.1.38","embedding-sdk-0.1.4","embedding-sdk-0.1.5","embedding-sdk-0.1.6","embedding-sdk-0.1.7","embedding-sdk-0.1.8","embedding-sdk-0.1.9","embedding-sdk-0.52.1-nightly","embedding-sdk-0.52.2-nightly","embedding-sdk-1.52.1","rm","v0.10.0","v0.10.3","v0.10.4","v0.10.4.1","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.12.0-test","v0.13.0","v0.26.0.RC1","v0.35.0","v0.35.0-rc1","v0.35.0-rc2","v0.36.0-snapshot","v0.37.0-rc2","v0.38.0-preview","v0.38.0-rc1","v0.38.0-rc2","v0.38.0-rc3","v0.38.0-rc4","v0.40.0","v0.40.0-rc1-dan","v0.40.0-rc2","v0.41.0-RC1","v0.42.0-preview1","v0.43.0-rc1","v0.44.0-RC1","v0.45.0-RC1","v0.45.0-RC2","v0.47.0-RC1","v0.48.0-RC1","v0.52.0-beta","v0.52.0.1-beta","v0.52.0.2-beta","v0.52.0.3-beta","v0.52.0.4-beta","v0.52.0.5-beta","v0.52.1","v0.52.1.1","v0.52.1.2","v0.52.1.3","v0.52.2","v0.52.2.1","v0.52.2.2","v0.52.2.3","v0.52.2.4","v0.9-final","v1.40.0","v1.40.0-rc2","v1.41.0-RC1","v1.42.0-preview1","v1.42.0-rc2","v1.43.0-rc1","v1.44.0-RC1","v1.45.0-RC1","v1.45.0-RC2","v1.47.0-RC1","v1.48.0-RC1","v1.52.0-beta","v1.52.0.1-beta","v1.52.0.2-beta","v1.52.0.3-beta","v1.52.0.4-beta","v1.52.0.5-beta","v1.52.1","v1.52.1.1","v1.52.1.2","v1.52.1.3","v1.52.2","v1.52.2.1","v1.52.2.2","v1.52.2.3","v1.52.2.4","v20150601-alpha","v20150603-alpha","v20150604-alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55951.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"}]}