CVE-2023-38646 — AI Deep Analysis Summary

🚨 **Essence**: Metabase has a critical **Pre-auth Remote Code Execution (RCE)** flaw. 📉 **Consequences**: Attackers can execute arbitrary commands on the server with the same privileges as the Metabase service user.…

🛡️ **Root Cause**: The vulnerability stems from insufficient input validation in the data processing pipeline. It allows unauthenticated users to inject malicious payloads that are executed by the backend.…

📦 **Affected Versions**: • **Open Source**: < 0.46.6.1, < 0.45.4.1, < 0.44.7.1, < 0.43.7.2 • **Enterprise**: < 1.46.6.1, < 1.45.4.1, < 1.44.7.1, < 1.43.7.2 ⚠️ If you are running any version older than these, you are vul…

💀 **Attacker Capabilities**: • **Full Control**: Execute ANY command on the host OS. • **Privileges**: Run as the user running the Metabase service (often root or high-privilege user).…

🔓 **Exploitation Threshold**: **LOW**. • **Auth Required?**: **NO**. It is **Pre-auth**. • **Config?**: No special configuration needed.…

🔥 **Public Exploits**: **YES**. Multiple PoCs are available on GitHub (e.g., by @adriyansyah-mf, @Pumpkin-Garden, @0xrobiul, @Chocapikk). CVSS Score is **9.8** (Critical). Wild exploitation is highly likely.

🔍 **Self-Check**: 1. Check your Metabase version in the UI footer. 2. Use the provided Python scripts (e.g., `check.py`) to scan for the vulnerability. 3.…

✅ **Official Fix**: **YES**. Metabase released security advisories and patched versions. • **Action**: Upgrade immediately to **0.46.6.1+** (Open Source) or **1.46.6.1+** (Enterprise).…

🚧 **No Patch Workaround**: • **Network Isolation**: Block external access to the Metabase port (default 3000) using firewalls/WAF.…

🚨 **Urgency**: **CRITICAL / IMMEDIATE**. • **Priority**: **P0**. • **Reason**: Pre-auth RCE with CVSS 9.8 and public exploits means automated bots are likely scanning for this NOW.…