Описание
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-38646
- https://github.com/metabase/metabase/issues/32552
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1
- https://news.ycombinator.com/item?id=36812256
- https://www.metabase.com/blog/security-advisory
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
Связанные уязвимости
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Уязвимость программного средства визуализации данных и создания отчетов Metabase, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти существующие ограничения безопасности и выполнить произвольный код