.. / CVE-2023-38646

Exploit for Metabase < 0.46.6.1 - Unauthenticated Remote Code Execution (CVE-2023-38646)

Description:

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server’s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Affected Products:

Proof of Concept

PoC exploit

Nuclei Template

View the template here CVE-2023-38646.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-38646.yaml
Copy

Try the exploit in a lab environment:

Lab Machine Link
Hack The Box Analytics Go to Practice

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-38646
https://www.metabase.com/blog/security-advisory
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
https://news.ycombinator.com/item?id=36812256
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe