Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
CVE-2023-37470

10CRITICAL

Key Information:

Vendor: Metabase
Status: Metabase
Vendor: CVE Published:; 4 August 2023

What is CVE-2023-37470?

Metabase, the open-source business intelligence platform, has a vulnerability that allows for remote code execution via manipulation of connection strings in the embedded H2 database. This issue arises from inadequate validation of user-supplied strings during database setup, enabling malicious users to inject executable code into the application. Users are advised to upgrade to patched versions that eliminate support for H2 databases. Additionally, for those using H2 as a file-based database, migration to SQLite is strongly recommended. As a preventive measure, it is crucial to deny access to specific API endpoints that expose this vulnerability.

Affected Version(s)

metabase < 0.43.7.3 < 0.43.7.3

metabase >= 0.44.0.0, < 0.44.7.3 < 0.44.0.0, 0.44.7.3

metabase >= 0.45.0.0, < 0.45.4.3 < 0.45.0.0, 0.45.4.3

References

https://github.com/metabase/metabase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Jul 6, 2023