CVE-2023-38646
Description
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Severity: CRITICAL
CVE ID: CVE-2023-38646
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2023-38646
Refrence: Project Discovery GitHub
adriyansyah-mf
Refrence: GitHub
Pumpkin-Garden
For educational purposes only
Refrence: GitHub
0xrobiul
Metabase Pre-auth RCE (CVE-2023-38646)!!
Refrence: GitHub
Chocapikk
Remote Code Execution on Metabase CVE-2023-38646
Refrence: GitHub
Xuxfff
Refrence: GitHub
securezeron
POC for CVE-2023-38646
Refrence: GitHub
raytheon0x21
Tools to exploit metabase CVE-2023-38646
Refrence: GitHub
Zenmovie
Proof of Concept for CVE-2023-38646
Refrence: GitHub
shamo0
Metabase Pre-auth RCE
Refrence: GitHub
fidjiw
CVE-2023-38646-POC
Refrence: GitHub
Any3ite
Refrence: GitHub
robotmikhro
Automatic Tools For Metabase Exploit Known As CVE-2023-38646
Refrence: GitHub
kh4sh3i
Metabase Pre-auth RCE (CVE-2023-38646)
Refrence: GitHub
joaoviictorti
CVE-2023-38646 (Pre-Auth RCE in Metabase)
Refrence: GitHub
yxl2001
Refrence: GitHub
alexandre-pecorilla
CVE-2023-38646 Pre-Auth RCE in Metabase
Refrence: GitHub
CN016
Metabase H2 远程代码执行漏洞(CVE-2023-38646)
Refrence: GitHub
Boogipop
CVE-2023-38646 Metabase RCE
Refrence: GitHub
SUT0L
CVE-2023-38646 Metabase 0.46.6 exploit
Refrence: GitHub
nickswink
CVE-2023-38646 Unauthenticated RCE vulnerability in Metabase
Refrence: GitHub
passwa11
Refrence: GitHub
threatHNTR
This is a Proof of Concept (PoC) script for exploiting Metabase, an open-source business intelligence and data analytics tool.
Refrence: GitHub
asepsaepdin
Refrence: GitHub
Pyr0sec
Exploit script for Pre-Auth RCE in Metabase (CVE-2023-38646)
Refrence: GitHub
birdm4nw
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Refrence: GitHub
AnvithLobo
RCE Exploit for CVE-2023-38646
Refrence: GitHub
Red4mber
Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection
Refrence: GitHub
junnythemarksman
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Refrence: GitHub
Mrunalkaran
Metabase Pre-Auth RCE POC
Refrence: GitHub
j0yb0y0h
Code to detect/exploit vulnerable metabase application
Refrence: GitHub
Ego1stoo
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Refrence: GitHub
0utl4nder
Metabase postgres (org.h2.Driver) RCE without INIT
Refrence: GitHub
Shisones
Refrence: GitHub
acesoyeo
Refrence: GitHub
UserConnecting
Exploit for the Remote Code Execution (RCE) vulnerability identified in Metabase versions before 0.46.6.1 (open source) and 1.46.6.1 (Enterprise). Authentication is not required for exploitation.
Refrence: GitHub
Content on GitHub
m3m0o | watchers:20
metabase-pre-auth-rce-poc
This is a script written in Python that allows the exploitation of the Metabase's software security flaw in the described in CVE 2023-38646.
Refrence: GitHub