Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
AnalysisAI
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. Affected products include: Metabase. Version information: before 0.46.6.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For
Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed release
Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulner
Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely
Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run
Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera
Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today