9.8
CVE-2023-38646
- EPSS 97.92%
- Veröffentlicht 21.07.2023 15:15:10
- Zuletzt bearbeitet 21.11.2024 08:13:58
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMetabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 97.92% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
https://github.com/metabase/metabase/issues/32552
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
https://news.ycombinator.com/item?id=36812256
https://www.metabase.com/blog/security-advisory