July 22, 2023

Advisory: Metabase Pre-Auth RCE (CVE-2023-38646)

No items found.

Creative Commons license

Summary

An unauthenticated attacker can obtain the setup token for an instance and use it to achieve remote code execution via an endpoint that allows you to validate a H2 database connection. When validating the database, the H2 JDBC driver allows for the attacker to achieve RCE.

Impact

An attacker can execute arbitrary Java code on the system, leading to arbitrary command execution.

Affected Software

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server.

Product Description

Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources.

Solution

Upgrade to the latest version of Metabase > v1.46.6.1.

Metabase’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Shubham Shah - Assetnote Security Research Team

Maxwell Garrett

Written by:

Shubham Shah

Max Garrett

Your subscription could not be saved. Please try again.

Your subscription has been successful.

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.

Request a Demo