cbcvebase.
CVE-2023-38646
published 2023-07-21

CVE-2023-38646: Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.92%
99.9th percentile
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Affected

8 ranges
VendorProductVersion rangeFixed in
metabasemetabase< 0.43.7.20.43.7.2
metabasemetabase< 1.43.7.21.43.7.2
metabasemetabase>= 0.44.0 < 0.44.7.10.44.7.1
metabasemetabase>= 0.45.0 < 0.45.4.10.45.4.1
metabasemetabase>= 0.46.0 < 0.46.6.10.46.6.1
metabasemetabase>= 1.44.0 < 1.44.7.11.44.7.1
metabasemetabase>= 1.45.0 < 1.45.4.11.45.4.1
metabasemetabase>= 1.46.0 < 1.46.6.11.46.6.1

Detection & IOCsextracted from sources · hover to see the quote

port3000
url/api/session/properties
cookiemetabase.D
path/tmp/.systemd.3
path/tmp/.json%s
domaindoh-ch.blahdns.com
domaindoh-de.blahdns.com
domaindoh-jp.blahdns.com
domaindoh-sg.blahdns.com
domainrelay.tor2socks.in
domainru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion
domainru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.re
domainru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.in
domainru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.tor2web.it
commandzip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,<base64>}|{base64,-d}|bash')\n$$--=x
path/dev/shm/exec.sh
url/exploitable
bytes
0x756e672e
  • Alert on HTTP POST requests to /api/setup/validate containing the string 'INFORMATION_SCHEMA.TABLES' combined with '//javascript' in the request body, which is the H2 trigger-based RCE payload pattern.
  • Detect DreamBus UPX-packed ELF modules by scanning for the modified UPX magic bytes 0x756e672e (.gnu) instead of the standard 0x21585055 (UPX!) at the expected UPX header offset.
  • Monitor for creation of the lock file /tmp/.systemd.3 on Linux hosts, which is used by DreamBus exploit modules to prevent multiple concurrent instances.
  • Alert on outbound connections from Metabase server processes to Tor2web domains (*.tor2web.re, *.tor2web.in, *.tor2web.it) or SOCKS5 connections to relay.tor2socks.in:9050, which indicate successful DreamBus post-exploitation.
  • Monitor for the user-agent string '-' (a single dash) in HTTP requests, used by DreamBus curl commands to blend in or avoid logging.
  • Detect exploitation by monitoring for the H2 database engine being specified in POST /api/setup/validate requests from Metabase instances that have already completed setup (setup-token should not be accessible post-setup).
  • Monitor for the beacon pattern 'mb0_' prefix in HTTP referrer/user-agent strings used by DreamBus to identify compromised hosts back to C2 (format: mb0_<public_ip>_<whoami>_<hostname>_<kernel>_<machine-id>).
  • ·The setup-token is only exploitable if it remains accessible after Metabase setup is complete; patched versions (0.46.6.1+, 1.46.6.1+, 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, 1.43.7.2) revoke the token post-setup.
  • ·The exploit requires the H2 database engine to be available/enabled in the Metabase instance; the payload specifically uses 'zip:/app/metabase.jar!/sample-database.db' to avoid corrupting production databases.
  • ·Authentication is not required for exploitation; the /api/session/properties and /api/setup/validate endpoints are publicly accessible on unpatched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.