Impact
Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user viewed the settings for a dashboard subscription, and another user had added users to that subscription, the sandboxed user would be able to view the list of recipients for that subscription.
Patches
This issue will be patched in 0.43.7.1, 1.43.7.1, 0.44.6.1, 1.44.6.1, 0.45.2.1, 1.45.2.1. When a sandboxed user views the list of recipients for a dashboard subscriptions, they will only ever see their user account in the list of recipients.
Workarounds
There are no workarounds for this issue aside from upgrading.
Impact
Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user viewed the settings for a dashboard subscription, and another user had added users to that subscription, the sandboxed user would be able to view the list of recipients for that subscription.
Patches
This issue will be patched in
0.43.7.1,1.43.7.1,0.44.6.1,1.44.6.1,0.45.2.1,1.45.2.1. When a sandboxed user views the list of recipients for a dashboard subscriptions, they will only ever see their user account in the list of recipients.Workarounds
There are no workarounds for this issue aside from upgrading.