An unauthenticated attacker can obtain the setup token for an instance and use it to achieve remote code execution via an endpoint that allows you to validate a H2 database connection. When validating the database, the H2 JDBC driver allows for the attacker to achieve RCE.
An attacker can execute arbitrary Java code on the system, leading to arbitrary command execution.
Metabase open source before 0.46.6.1 and Metabase Enterprise before 126.96.36.199 allow attackers to execute arbitrary commands on the server.
Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources.
Upgrade to the latest version of Metabase > v188.8.131.52.
Metabase’s official advisory can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Shubham Shah - Assetnote Security Research Team