Vulnerability Details : CVE-2023-38646
Public exploit exists!
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Products affected by CVE-2023-38646
- Metabase » Metabase » Enterprise EditionVersions from including (>=) 1.46.0 and before (<) 1.46.6.1cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*
- Metabase » Metabase » Enterprise EditionVersions from including (>=) 1.44.0 and before (<) 1.44.7.1cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
- Metabase » Metabase » Enterprise EditionVersions from including (>=) 1.45.0 and before (<) 1.45.4.1cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38646
86.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2023-38646
-
Metabase Setup Token RCE
Disclosure Date: 2023-07-22First seen: 2023-09-11exploit/linux/http/metabase_setup_token_rceMetabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new databas
CVSS scores for CVE-2023-38646
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2023-38646
-
http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
Metabase 0.46.6 Remote Code Execution ≈ Packet Storm
-
https://news.ycombinator.com/item?id=36812256
Tell HN: Upgrade your Metabase installation immediately | Hacker NewsIssue Tracking
-
https://www.metabase.com/blog/security-advisory
Please upgrade your Metabase immediatelyVendor Advisory
-
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
Release Metabase v0.46.6.1 · metabase/metabase · GitHubRelease Notes
-
https://github.com/metabase/metabase/issues/32552
Metabase 0.46.6 is available. You're running 0.46.6.1 · Issue #32552 · metabase/metabase · GitHubIssue Tracking
-
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
Metabase Remote Code Execution ≈ Packet Storm
Jump to