Main Vulnerability Database Vulnerabilities #VU130132

Inclusion of Sensitive Information in Log Files in Metabase - #VU130132

Published: May 18, 2021 / Updated: May 5, 2026

Vulnerability identifier: #VU130132

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-532

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Metabase

Software vendor:
Metabase

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into metadata in the internal http client when handling HTTP errors from Presto connections using basic authentication. A remote user can trigger an error condition and obtain API responses containing unsanitized request headers to disclose sensitive information.

Only configurations using Presto with basic authentication are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/metabase/metabase/security/advisories/GHSA-m29w-4r8p-v657

Inclusion of Sensitive Information in Log Files in Metabase - #VU130132

Description

Remediation

External links

Please verify you're human