What is CVE-2023-38646?

CVE-2023-38646 is a vulnerability in N/a. Published 2023-07-21.

Is CVE-2023-38646 known to be exploited?

102 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2023-38646

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed ver…

EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

Boogipop/MetabaseRceTools
robotmikhro/CVE-2023-38646
securezeron/CVE-2023-38646
0xrobiul/CVE-2023-38646
shamo0/CVE-2023-38646-PoC
Pyr0sec/CVE-2023-38646
kh4sh3i/CVE-2023-38646
Pumpkin-Garden/POC_Metabase_CVE-2023-38646
nickswink/CVE-2023-38646
Chocapikk/CVE-2023-38646

References

www.metabase.com/blog/security-advisory
github.com/metabase/metabase/releases/tag/v0.46.6.1
news.ycombinator.com/item
github.com/metabase/metabase/issues/32552
packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html

Frequently asked questions

What is CVE-2023-38646?: CVE-2023-38646 is a vulnerability in N/a. Published 2023-07-21.
Is CVE-2023-38646 known to be exploited?: 102 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.