Security News > 2023 > July > Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "Extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations.
Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1.
"An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week.
While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023.
Assetnote, which claimed it discovered and reported the bug to Metabase, said the vulnerability is due to a JDBC connection issue in the API endpoint "/api/setup/validate," enabling a malicious actor to obtain a reverse shell on the system by means of a specially crafted request that takes advantage of an SQL injection flaw in the H2 database driver.
Users who cannot apply the patches immediately are recommended to block requests to the /api/setup endpoint, isolate the Metabase instance from your production network, and monitor for suspicious requests to the endpoint in question.
News URL
https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-21 | CVE-2023-38646 | Unspecified vulnerability in Metabase Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. | 9.8 |