Login Sign Up

CVE-2023-38646

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-38646 is a critical remote code execution vulnerability in Metabase that allows unauthenticated attackers to execute arbitrary commands on the server with the server's privilege level. This affects all Metabase open source versions before 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1, as well as several other vulnerable versions listed in the advisory.

💻 Affected Systems

Products:
  • Metabase Open Source
  • Metabase Enterprise
Versions: All versions before 0.46.6.1 (Open Source) and 1.46.6.1 (Enterprise), plus specific vulnerable versions: 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, 1.43.7.2
Operating Systems: All operating systems running Metabase
Default Config Vulnerable: ⚠️ Yes
Notes: No authentication required - all default installations are vulnerable. The vulnerability exists in the application code itself.

📦 What is this software?

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to the server, exfiltrate database credentials and sensitive data, and potentially pivot to other systems.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and immediate detection/response.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances extremely vulnerable to automated attacks.
🏢 Internal Only: HIGH - Even internal instances are at risk from compromised internal hosts or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts exist, making this trivial to exploit. The vulnerability has been actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Open Source: 0.46.6.1 or higher; Enterprise: 1.46.6.1 or higher; Also fixed in: 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, 1.43.7.2

Vendor Advisory: https://github.com/metabase/metabase/releases/tag/v0.46.6.1

Restart Required: Yes

Instructions:

1. Backup your Metabase database and configuration. 2. Stop the Metabase service. 3. Update to a patched version using your package manager or by downloading from GitHub releases. 4. Restart the Metabase service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Metabase instances using firewall rules to only allow trusted IP addresses.

# Example iptables rule for Linux
sudo iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3000 -j DROP

Reverse Proxy with Authentication

all

Place Metabase behind a reverse proxy (nginx, Apache) that requires authentication before reaching the application.

# Example nginx basic auth configuration
location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:3000;
}

🧯 If You Can't Patch

  • Immediately take Metabase instances offline until patching is possible
  • Implement strict network segmentation and firewall rules to isolate Metabase from other systems

🔍 How to Verify

Check if Vulnerable:

Check your Metabase version via the web interface (Settings → About) or by examining the running process. If version is below the patched versions listed, you are vulnerable.

Check Version:

curl -s http://localhost:3000/api/health | grep -o '"version":"[^"]*"'

Verify Fix Applied:

After updating, verify the version shows a patched version (0.46.6.1+, 1.46.6.1+, or other fixed versions). Test that the application functions normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to Metabase endpoints
  • Suspicious Java process execution
  • Error logs containing command execution attempts

Network Indicators:

  • Unusual outbound connections from Metabase server
  • Traffic to suspicious IPs or domains from Metabase

SIEM Query:

source="metabase.logs" AND ("POST /api/*" OR "java.lang.Runtime.exec" OR "ProcessBuilder")

📊 Metadata

CVE ID: CVE-2023-38646
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON