CVE-2023-38646: Remote Command Execution Vulnerability in Metabase
In the realm of business intelligence, the open-source tool Metabase has marked its presence with its seamless data interpretation capabilities. This self-service BI tool has empowered organizations across the globe, enabling users to pose questions about their data and receiving visual, digestible answers in return. As user-friendly as it gets, Metabase requires no knowledge of SQL or any other programming language, broadening its accessibility within an organization.
Connecting to a variety of data sources, ranging from relational databases to cloud storage and flat files, Metabase showcases its flexible nature. Once a data source is tethered, users can conjure up queries using an uncomplicated drag-and-drop interface, paving the way for the tool to create data visualizations such as charts, graphs, and tables.
Despite its profound benefits, a severe vulnerability has been unearthed, tagged as CVE-2023-38646. This vulnerability is of the utmost severity, given that it allows an unauthenticated attacker to execute arbitrary commands with the same privileges as the Metabase server. This vulnerability means the Metabase server can become a potential entry point for malicious attacks, which could compromise the integrity of the whole system it operates on.
This vulnerability casts a long shadow over several versions of both the Metabase Community and Metabase Enterprise. The affected versions for Metabase Community range from 0.43 to 0.46, while Metabase Enterprise’s affected versions span from 1.43 to 1.46.
However, not all hope is lost. Unaffected versions exist for both the Metabase Community and Metabase Enterprise. For Metabase Community, versions 0.43.7.2 and upwards are safe, while for Metabase Enterprise, the safe harbor begins at version 1.43.7.2 and continues into the subsequent versions.
In light of the CVE-2023-38646 vulnerability, it is highly recommended that users update their Metabase software to the unaffected versions immediately. An unchecked remote command execution vulnerability could potentially allow attackers to exploit and compromise systems, leading to significant data breaches and interruptions of business operations.
