CVE-2023-38646
Summary
| CVE | CVE-2023-38646 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-07-21 15:15:00 UTC |
| Updated | 2023-08-09 18:15:00 UTC |
| Description | Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Please upgrade your Metabase immediately | MISC | www.metabase.com | |
| Metabase Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Release Metabase v0.46.6.1 · metabase/metabase · GitHub | MISC | github.com | |
| Metabase 0.46.6 is available. You're running 0.46.6.1 · Issue #32552 · metabase/metabase · GitHub | MISC | github.com | |
| Tell HN: Upgrade your Metabase installation immediately | Hacker News | MISC | news.ycombinator.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.