Skip to main content

Metabase CVE-2023-37470

CRITICAL
Code Injection (CWE-94)
2023-08-04 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 04, 2023 - 16:15 nvd
CRITICAL 9.8

DescriptionNVD

Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil. Those who use H2 as a file-based database should migrate to SQLite.

AnalysisAI

Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil. Those who use H2 as a file-based database should migrate to SQLite. Affected products include: Metabase.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2023-38646 CRITICAL POC
9.8 Jul 21

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman

CVE-2021-41277 HIGH POC
7.5 Nov 17

Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2022-43776 MEDIUM POC
6.5 Oct 26

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For

CVE-2026-50148 CRITICAL
10.0 Jul 15

Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release

CVE-2023-32680 CRITICAL
9.6 May 18

Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely

CVE-2022-24853 MEDIUM POC
5.3 Apr 14

Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-59827 HIGH
8.8 Jul 09

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run

CVE-2022-39362 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-39361 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-24854 HIGH
8.8 Apr 14

Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera

CVE-2026-27464 HIGH
7.7 Feb 21

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi

CVE-2026-50147 HIGH
7.6 Jul 15

Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat

Share

CVE-2023-37470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy