CVE-2023-37470: 
NixOS vulnerability analysis and mitigation

CVE-2023-37470 affects Metabase, an open-source business intelligence and analytics platform. The vulnerability was discovered in versions prior to 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, allowing potential remote code execution on Metabase servers (NVD).

The vulnerability stems from the H2 embedded in-memory database, which exposes methods for connection strings to include executable code. Since Metabase allows users to connect to databases, malicious actors could inject executable code through user-supplied connection strings. The validation API for connection strings could be called without proper validation, making it the primary attack vector. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthenticated remote attackers to execute arbitrary code on the target server, potentially leading to complete system compromise. Successful exploitation could result in unauthorized access to sensitive data and full control of vulnerable systems (Fortiguard).

The vulnerability has been fixed in versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 by completely removing the ability to add H2 databases. As a temporary workaround, organizations can block the vulnerable endpoints 'POST /api/database', 'PUT /api/database/:id', and 'POST /api/setup/validateuntil' at the network level. Users of H2 as a file-based database should migrate to SQLite (NVD).