CVE-2023-38646

Name of the Vulnerable Software and Affected Versions Metabase open source versions prior to 0.46.6.1 Metabase Enterprise versions prior to 1.46.6.1

Description The issue allows attackers to execute arbitrary commands on the server at the server's privilege level without requiring authentication. Over 5,000 instances are potentially vulnerable to attacks. The vulnerability resides within the Metabase API endpoint: "/api/setup/validate". It enables remote attackers to bypass existing security restrictions and execute arbitrary code.

Recommendations For Metabase open source versions prior to 0.46.6.1, update to version 0.46.6.1 or later. For Metabase Enterprise versions prior to 1.46.6.1, update to version 1.46.6.1 or later. As a temporary workaround, consider restricting access to the "/api/setup/validate" API endpoint until a patch is available.