CVE-2023-37470
📋 TL;DR
CVE-2023-37470 is a critical remote code execution vulnerability in Metabase that allows attackers to execute arbitrary code on the server by injecting malicious commands into H2 database connection strings. This affects all Metabase instances with H2 database support enabled, particularly through the connection validation API. Users who can access database configuration interfaces are potentially affected.
💻 Affected Systems
- Metabase
📦 What is this software?
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, or pivot to other systems in the network.
Likely Case
Remote code execution leading to data exfiltration, privilege escalation, and potential ransomware deployment on vulnerable Metabase servers.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting the Metabase application container.
🎯 Exploit Status
Exploitation requires access to database configuration endpoints, typically requiring some level of authentication, though setup endpoints may be accessible during initial configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, or 1.46.6.4
Vendor Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83
Restart Required: Yes
Instructions:
1. Identify your Metabase version. 2. Upgrade to one of the patched versions listed above. 3. Restart the Metabase service. 4. Verify H2 database connections are no longer possible.
🔧 Temporary Workarounds
Block Vulnerable Endpoints
linuxBlock access to the vulnerable API endpoints at network or application firewall level
iptables -A INPUT -p tcp --dport 3000 -m string --string "POST /api/database" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 3000 -m string --string "PUT /api/database/" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 3000 -m string --string "POST /api/setup/validate" --algo bm -j DROP
🧯 If You Can't Patch
- Disable H2 database support entirely in Metabase configuration
- Implement strict network segmentation and limit access to Metabase administration interfaces
🔍 How to Verify
Check if Vulnerable:
Check Metabase version via web interface or by examining the application metadata. Versions below the patched versions listed are vulnerable.Check Version:
curl -s http://metabase-host:3000/api/session/properties | grep -o '"version":"[^"]*"'Verify Fix Applied:
Verify Metabase version is one of the patched versions and attempt to add an H2 database connection - this should no longer be possible.📡 Detection & Monitoring
Log Indicators:
- Unusual database connection attempts with H2 driver
- Multiple failed connection validations
- Suspicious strings in POST requests to /api/database or /api/setup/validate
Network Indicators:
- Unusual outbound connections from Metabase server
- Traffic to /api/database or /api/setup/validate endpoints with H2 connection strings
SIEM Query:
source="metabase.logs" AND (uri_path="/api/database" OR uri_path="/api/setup/validate") AND (http_method="POST" OR http_method="PUT") AND request_body LIKE "%H2%"