www.belgium.be Logo of the federal government

Warning:Exploit was released for CVE- 2023-38646 a critical vulnerability in Metabase open source and in Metabase Enterprise, Patch immediately!

Référence: 
Advisory #2023-96
Version: 
1.0
Logiciels concernés : 
Metabase open source before 0.46.6.1
Metabase Enterprise before 1.46.6.1
Type: 
Remote code execution
CVE/CVSS: 

CVE-2023-38646 / CVSS 3.1 score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date: 
10/08/2023

Sources

https://www.metabase.com/blog/security-advisory

Risques

CVE-2023-38646 is an extremely severe vulnerability, if exploited by an unauthenticated attacker, CVE-2023-38646 could lead to significant data breaches and interruptions of business operations.

As Metabase is an open-source BI tool used by organisations across the globe, the release of a proof-of-concept for the exploitation of the vulnerability highly increase the risks.

CVE-2023-38646 has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).

Description

CVE-2023-38646 allows an unauthenticated attacker to execute arbitrary commands with the same privileges as the Metabase server. This means that the Metabase server can become a potential entry point for other attacks and could finally lead to compromise the integrity of the complete system it operates on.

Even if at the time of publication of the vulnerability there was no known exploitation on it, on the 9th of August a proof-of -concept was released.

The vulnerability affects the following supported versions:

  • Metabase open source before 0.46.6.1
  • Metabase Enterprise before 1.46.6.1 are affected by the vulnerability.

The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Actions recommandées

To address the vulnerability, Metabase released patches and instructions that are available at: https://www.metabase.com/blog/security-advisory

As the vulnerability is of critical severity, urgent patching is recommended.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.