Vulnerability Description
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | < 0.43.7.2 |
References
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Executio
- https://github.com/metabase/metabase/issues/32552Issue Tracking
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1Release Notes
- https://news.ycombinator.com/item?id=36812256Issue Tracking
- https://www.metabase.com/blog/security-advisoryVendor Advisory
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Executio
- https://github.com/metabase/metabase/issues/32552Issue Tracking
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1Release Notes
- https://news.ycombinator.com/item?id=36812256Issue Tracking
- https://www.metabase.com/blog/security-advisoryVendor Advisory
FAQ
What is CVE-2023-38646?
CVE-2023-38646 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not require...
How severe is CVE-2023-38646?
CVE-2023-38646 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-38646?
Check the references section above for vendor advisories and patch information. Affected products include: Metabase Metabase.