Metabase
CVE-2023-37470
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil. Those who use H2 as a file-based database should migrate to SQLite.
AnalysisAI
Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil. Those who use H2 as a file-based database should migrate to SQLite. Affected products include: Metabase.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman
Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For
Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release
Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely
Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run
Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera
Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today