CVE-2023-38646
Published: 21 July 2023
Summary
CVE-2023-38646 is a critical-severity an unspecified weakness vulnerability in Metabase Metabase. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Metabase open source versions prior to 0.46.6.1 and Metabase Enterprise versions prior to 1.46.6.1 are affected by an unauthenticated remote code execution vulnerability that permits arbitrary command execution on the server host with the privileges of the Metabase process. The flaw also impacts several older branches, with fixes issued in 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. The issue carries a CVSS score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An attacker can send a crafted request directly to an exposed Metabase instance and obtain full command execution on the underlying server. Because authentication is not required, the vulnerability can be exploited by any remote party able to reach the application, enabling complete compromise of the host and any data or services accessible to the Metabase process.
Publicly available advisories and the official Metabase release notes direct administrators to upgrade immediately to one of the patched versions listed above. Exploit code has been published on Packet Storm and discussed on GitHub and Hacker News, while the EPSS score has reached 0.9425, indicating substantial real-world exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42445
Vulnerability details
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2,…
more
and 1.43.7.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.