← back
CVE-2023-38646

CVE-2023-38646

EPSS 97.9%
Vexday Risk Score
40Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS EPSS 97.9%KEV nãoPoC Nuclei simMetasploit simPatch
Lifecycle
21 Jul 2023Published on NVD
22 Jul 2023Metasploit module available
Recommendation: Plan a near-term fix — a public PoC already exists.
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.htmlhttps://github.com/metabase/metabase/issues/32552https://github.com/metabase/metabase/releases/tag/v0.46.6.1https://news.ycombinator.com/item?id=36812256https://www.metabase.com/blog/security-advisory