Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-38646
CVE-2023-38646:
NixOS vulnerability analysis and mitigation
Overview
CVE-2023-38646 affects Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1. The vulnerability allows attackers to execute arbitrary commands on the server at the server's privilege level without requiring authentication. The vulnerability was discovered in July 2023, and fixed versions were released on July 21, 2023. The affected versions include all versions up to 0.43.7.2, versions from 0.44.0 to 0.44.7.1, versions from 0.45.0 to 0.45.4.1, and versions from 0.46.0 to 0.46.6.1 (NVD, Assetnote Blog).
Technical details
The vulnerability received a CVSS v3.1 Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability chain involves obtaining a setup token from /api/session/properties endpoint and using it with a special endpoint that validates DB connections. The attack leverages an SQL injection vulnerability in the H2 database driver to achieve code execution (Assetnote Blog).
Impact
The vulnerability allows attackers to execute arbitrary commands with the same privileges as the Metabase server. Given that Metabase is designed to connect to sensitive datasources, a successful exploit could lead to access to critical parts of an organization's network and sensitive data sources. At the time of discovery, approximately 20,000 instances of Metabase were exposed on the external internet (Assetnote Blog).
Mitigation and workarounds
The primary mitigation is to upgrade to the fixed versions: 0.46.6.1, 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, or 1.43.7.2. Additional security measures include placing Metabase behind a VPN, using reverse proxies with authentication, and ensuring the instance is not directly exposed to the internet. Organizations should also consider implementing network isolation and using read-only credentials for database access (Metabase Advisory, Assetnote Blog).
Community reactions
The vulnerability generated significant discussion in the security community, with many experts emphasizing the importance of proper isolation for analytics tools. Security researchers and practitioners recommended against allowing direct access to production databases through analytics visualization tools like Metabase, suggesting instead to use separate analytics databases with aggregated, anonymized data (HN Discussion).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management