CVE-2023-37470

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4

Description The issue is related to the incorrect management of code generation in the Metabase platform, which could allow remote code execution on the server. The core problem is that the embedded in-memory database H2 exposes ways for a connection string to include code that is then executed by the process running the embedded database. This means a user-supplied string can be used to inject executable code. The validation API, which can be called without validation, is the primary vector used for exploitation. Approximately 58,710 results are potentially affected.

Recommendations To resolve the issue, update to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, or 1.46.6.4, which fix the issue by removing the ability to add H2 databases entirely. As a temporary workaround, block the endpoints POST /api/database, PUT /api/database/:id, and POST /api/setup/validateuntil at the network level. Those who use H2 as a file-based database should migrate to SQLite.