CVE-2023-38646

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-38646
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38646.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-38646
Published
2023-07-21T15:15:10.003Z
Modified
2026-04-10T04:59:08.609669Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type
GIT
Repo
https://github.com/metabase/metabase
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8e08caecb420474f379fc2035e89dbdae44b5ca6
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8e08caecb420474f379fc2035e89dbdae44b5ca6
Introduced
d3700f5368dc0b0c51b42adc293c6458766c948b
Fixed
5154d762e28f5047b5a308a5bca59d3f97ee987f
Introduced
4e41d7624d33a28d40e4aff577124189e70acbc3
Fixed
431f2afebe2bdddbf59f18b586aa7952a4a03c79
Introduced
0ca7df376a56669965cad963b919ae63f5bef973
Fixed
ee1d3235c42f06e650aab3914fd7356ba0a386ec
Introduced
d3700f5368dc0b0c51b42adc293c6458766c948b
Fixed
5154d762e28f5047b5a308a5bca59d3f97ee987f
Introduced
4e41d7624d33a28d40e4aff577124189e70acbc3
Fixed
431f2afebe2bdddbf59f18b586aa7952a4a03c79
Introduced
0ca7df376a56669965cad963b919ae63f5bef973
Fixed
ee1d3235c42f06e650aab3914fd7356ba0a386ec
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.43.7.2"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.43.7.2"
        },
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.7.1"
        },
        {
            "introduced": "0.45.0"
        },
        {
            "fixed": "0.45.4.1"
        },
        {
            "introduced": "0.46.0"
        },
        {
            "fixed": "0.46.6.1"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.7.1"
        },
        {
            "introduced": "1.45.0"
        },
        {
            "fixed": "1.45.4.1"
        },
        {
            "introduced": "1.46.0"
        },
        {
            "fixed": "1.46.6.1"
        }
    ]
}

Affected versions

0.*
0.10.3
0.34.0-rc1
Other
blah
v20150601-alpha
v20150603-alpha
v20150604-alpha
v0.*
v0.10.0
v0.10.3
v0.10.4
v0.10.4.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.12.0-test
v0.13.0
v0.26.0.RC1
v0.35.0
v0.35.0-rc1
v0.35.0-rc2
v0.36.0-snapshot
v0.37.0-rc2
v0.38.0-preview
v0.38.0-rc1
v0.38.0-rc2
v0.38.0-rc3
v0.38.0-rc4
v0.40.0
v0.40.0-rc1-dan
v0.40.0-rc2
v0.41.0-RC1
v0.42.0-preview1
v0.43.0
v0.43.0-rc1
v0.43.0-rc2
v0.43.1
v0.43.2
v0.43.3
v0.43.4
v0.43.4.1
v0.43.4.2
v0.43.5
v0.43.6
v0.43.7
v0.43.7.1
v0.44.0
v0.44.1
v0.44.2
v0.44.3
v0.44.4
v0.44.5
v0.44.6
v0.44.6.1
v0.44.7
v0.45.0
v0.45.1
v0.45.2
v0.45.3
v0.45.3.1
v0.45.4
v0.46.0
v0.46.1
v0.46.2
v0.46.3
v0.46.4
v0.46.5
v0.46.6
v0.9-final
v1.*
v1.40.0
v1.40.0-rc2
v1.41.0-RC1
v1.42.0-preview1
v1.42.0-rc2
v1.43.0
v1.43.0-rc1
v1.43.0-rc2
v1.43.1
v1.43.2
v1.43.3
v1.43.4
v1.43.4.1
v1.43.4.2
v1.43.5
v1.43.6
v1.43.7
v1.43.7.1
v1.44.0
v1.44.1
v1.44.2
v1.44.3
v1.44.4
v1.44.5
v1.44.6
v1.44.6.1
v1.44.7
v1.45.0
v1.45.1
v1.45.2
v1.45.3
v1.45.3.1
v1.45.4
v1.46.0
v1.46.1
v1.46.2
v1.46.3
v1.46.4
v1.46.5
v1.46.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38646.json"