CVE-2023-37470 : What You Need to Know

A critical vulnerability has been identified in Metabase that allows for remote code execution, impacting versions prior to 1.46.6.4. Here's what you need to know about CVE-2023-37470 and how to protect your systems.

Understanding CVE-2023-37470

Metabase is an open-source business intelligence and analytics platform. The vulnerability allows remote code execution via the POST /api/setup/validate endpoint.

What is CVE-2023-37470?

This vulnerability in Metabase versions earlier than 1.46.6.4 could permit an attacker to execute arbitrary code on the server through a specially crafted connection string.

The Impact of CVE-2023-37470

The vulnerability poses a critical threat with a CVSS base score of 10 (Critical). Attackers can exploit it remotely with no privileges required, leading to high impacts on confidentiality, integrity, and availability.

Technical Details of CVE-2023-37470

The vulnerability arises from improper control of code generation, allowing attackers to inject malicious code through the validation API.

Vulnerability Description

Metabase's support for H2 databases enables code injection through connection strings, leading to remote code execution on the server.

Affected Systems and Versions

Versions affected include < 0.43.7.3, >= 0.44.0.0, < 0.44.7.3, >= 0.45.0.0, < 0.45.4.3, and more up to 1.46.6.4.

Exploitation Mechanism

Attackers can utilize the validation API without authentication, enabling them to exploit the vulnerability remotely.

Mitigation and Prevention

To safeguard your systems from CVE-2023-37470, immediate actions and long-term security measures are crucial.

Immediate Steps to Take

Block vulnerable endpoints like

POST /api/database

,

PUT /api/database/:id

, and

POST /api/setup/validateuntil

at the network level. Consider migrating from H2 to SQLite for file-based databases.

Long-Term Security Practices

Regularly update Metabase to patched versions and implement security best practices to prevent future vulnerabilities.