Learning more about Metabase Pre-auth RCE (CVE-2023–38646)

Gupta Bless
2 min readNov 19, 2023
Source

Introduction

In the realm of cybersecurity, Common Vulnerabilities and Exposures (CVE) play a pivotal role in identifying and addressing potential threats. The practice of publicly disclosing vulnerabilities has become a standard procedure, regardless of whether they pertain to hardware or software. The severity of each CVE is gauged by the Common Vulnerability Scoring System (CVSS) score, providing a standardized way to assess and prioritize security weaknesses.

Understanding Metabase Pre-Auth RCE

CVE 2023–38646 highlights a remote code execution vulnerability present in a specific version of Metabase. Metabase, an open-source program, empowers users to create visual representations of data from various databases. This flaw impacts all versions of the open-source software released before 0.46.6.1 and enterprise software released before 1.46.6.1.

Root Cause Analysis

The vulnerability stems from a lapse in security practices during the Metabase setup. Despite the requirement for a setup token during installation, this token isn’t cleared after the process completion. This oversight enables malicious actors to potentially steal the token, impersonate legitimate users, and issue commands directly through the server. The consequences range from unauthorized access to sensitive data to the installation of malicious software.

The critical severity of this CVE is exacerbated by the lack of authentication requirements, specifically during the Metabase setup, with the vulnerable API endpoint being /api/setup/validate. Attackers can exploit this weakness by bypassing the JDBC connection procedure, gaining access to the setup token, and subsequently executing remote code.

Steps to Reproduce

To exploit this vulnerability, attackers can intercept the request of the /api/setup/validate endpoint, fetching the setup token. By utilizing collaborative tools such as Burp Suite’s Collaborator, attackers can monitor exploits through a designated collaborator URL. A Python script, CVE-2023–38646.py, simplifies this process, offering flexibility for attackers working collaboratively.

--

--

Gupta Bless

Security enthusiast working to secure web for others.