CVE-2023-38646

EUVD-2023-42445
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
metabasemetabase
𝑥
< 0.43.7.2
metabasemetabase
𝑥
< 1.43.7.2
metabasemetabase
0.44.0 ≤
𝑥
< 0.44.7.1
metabasemetabase
0.45.0 ≤
𝑥
< 0.45.4.1
metabasemetabase
0.46.0 ≤
𝑥
< 0.46.6.1
metabasemetabase
1.44.0 ≤
𝑥
< 1.44.7.1
metabasemetabase
1.45.0 ≤
𝑥
< 1.45.4.1
metabasemetabase
1.46.0 ≤
𝑥
< 1.46.6.1
𝑥
= Vulnerable software versions
References
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
https://github.com/metabase/metabase/issues/32552
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
https://news.ycombinator.com/item?id=36812256
https://www.metabase.com/blog/security-advisory
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
https://github.com/metabase/metabase/issues/32552
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
https://news.ycombinator.com/item?id=36812256
https://www.metabase.com/blog/security-advisory