Major Security Flaw Discovered in Metabase BI Software – Update Needed Immediately

Tracked as CVE-2023-38646, this issue affects open-source versions prior to 0.46.6.1 and Metabase Enterprise versions prior to 1.46.6.1.

“An unauthenticated attacker could run arbitrary commands on the server on which you are running Metabase with the same privileges as the Metabase server,” Metabase said in an advisory issued last week.

This issue has also been addressed in the following older versions –

  • 0.45.4.1 and 1.45.4.1
  • 0.44.7.1 and 1.44.7.1, and
  • 0.43.7.2 and 1.43.7.2

While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.

Assetnote, which claimed it discovered the bug and reported it to Metabase, said the vulnerability is caused by a JDBC connection issue in the API endpoint “/api/setup/validate”, which could allow a malicious actor to obtain a reverse shell on the system. A specially crafted request that takes advantage of an SQL injection flaw in the H2 database driver.

Users who cannot apply the patch immediately are advised to block requests to the /api/setup endpoint, isolate the metabase instance from their production network, and monitor suspicious requests on the relevant endpoint.

Related posts

Microsoft CEO Satya Nadella dreams of a world where India and every person on the planet is empowered by AI

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More