Learning more about Metabase Pre-auth RCE (CVE-2023–38646)

Gupta Bless
2 min readNov 19, 2023
Source

Introduction

In the realm of cybersecurity, Common Vulnerabilities and Exposures (CVE) play a pivotal role in identifying and addressing potential threats. The practice of publicly disclosing vulnerabilities has become a standard procedure, regardless of whether they pertain to hardware or software. The severity of each CVE is gauged by the Common Vulnerability Scoring System (CVSS) score, providing a standardized way to assess and prioritize security weaknesses.

Understanding Metabase Pre-Auth RCE

CVE 2023–38646 highlights a remote code execution vulnerability present in a specific version of Metabase. Metabase, an open-source program, empowers users to create visual representations of data from various databases. This flaw impacts all versions of the open-source software released before 0.46.6.1 and enterprise software released before 1.46.6.1.

Root Cause Analysis

The vulnerability stems from a lapse in security practices during the Metabase setup. Despite the requirement for a setup token during installation, this token isn’t cleared after the process completion. This oversight enables malicious actors to potentially steal the token, impersonate legitimate users, and issue commands directly through…

--

--

Gupta Bless
Gupta Bless

Written by Gupta Bless

Security enthusiast working to secure web for others.

No responses yet