Summary
An unauthenticated attacker can obtain the setup token for an instance and use it to achieve remote code execution via an endpoint that allows you to validate a H2 database connection. When validating the database, the H2 JDBC driver allows for the attacker to achieve RCE.
Impact
An attacker can execute arbitrary Java code on the system, leading to arbitrary command execution.
Affected Software
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server.
Product Description
Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources.
Solution
Upgrade to the latest version of Metabase > v1.46.6.1.
Metabase’s official advisory can be found here.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
Shubham Shah – Assetnote Security Research Team
Maxwell Garrett
See Assetnote in action
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.