Vulnerabilities > CVE-2023-38646 - Unspecified vulnerability in Metabase
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Vulnerable Configurations
Related news
References
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
- https://github.com/metabase/metabase/issues/32552
- https://github.com/metabase/metabase/issues/32552
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1
- https://news.ycombinator.com/item?id=36812256
- https://news.ycombinator.com/item?id=36812256
- https://www.metabase.com/blog/security-advisory
- https://www.metabase.com/blog/security-advisory