QwikSec

Security Database

CVE

CWE

Training

CVE-2023-38646

Published: Jul 21, 2023

Modified: Aug 2, 2024

PUBLISHED

Description

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.metabase.com/blog/security-advisory

https://github.com/metabase/metabase/releases/tag/v0.46.6.1

https://news.ycombinator.com/item?id=36812256

https://github.com/metabase/metabase/issues/32552

http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html

http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.