Metabase, a widely-used business intelligence platform that lets users explore and learn from their data, that had a critical security flaw in versions before 0.46.6.1 (open source) and 1.46.6.1 (Enterprise). This vulnerability, designated as CVE-2023–38646, allowed attackers to execute arbitrary commands on the server without requiring any authentication. The impact of this flaw was severe, as it granted unauthorized access to the server at the server’s privilege level. The exploit was fixed in the subsequent versions 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

The vulnerability existed in the /api/setup/validate API endpoint, which served as a crucial part of Metabase’s initial setup process. During application setup, this endpoint was responsible for checking the database connection. However, attackers could exploit a flaw in the JDBC connection handling, leading to remote code execution (RCE) with pre-authentication. This meant that attackers could execute malicious commands on the server with elevated privileges, gaining full control over the application environment. With this level of access, an attacker could potentially steal sensitive data, manipulate the application, or even gain control of the entire server infrastructure.

To understand how the exploit works, let’s follow the steps provided in the PoC section of the GitHub repository’s README file.

1. Retrieve Setup Token: Start by navigating to “http://vulnerablehost.com/api/session/properties" to obtain the “setup-token.”

2. Set Up Collaborator: Next, get a collaborator URL, for example, using BurpSuite. This URL will be used to track the exploit’s callbacks.

3. Run the PoC Script: Use the provided PoC script “CVE-2023–38646.py” with the following parameters:

• -u: Target URL
• -t: Setup token
• -c: Collaborator URL Example: python3 CVE-2023-38646.py -u <target> -t <setup-token> -c <collaborator-url>

4. Check Collaborator for Callbacks: Monitor the collaborator URL for any potential callbacks triggered by the exploit. Successful callbacks indicate that the vulnerability has been exploited.

The severity of this vulnerability underscores the importance of prompt action. Metabase users must upgrade to fixed versions (0.46.6.1, 1.46.6.1, or later) as soon as possible to eliminate the risk of exploitation. Immediate upgrading is the most effective approach to prevent unauthorized access and ensure data security. For cases where immediate upgrades are not feasible, blocking requests to the vulnerable /api/setup endpoints can provide temporary protection.

• https://github.com/shamo0/CVE-2023-38646-PoC
• https://www.metabase.com/blog/security-advisory
• https://blog.calif.io/p/reproducing-cve-2023-38646-metabase
• https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/