Detections
Analytics

Metabase 0.43.x < 0.43.7.3 / 0.44.x < 0.44.7.3 /0.45.x < 0.45.4.3 / 0.46.x < 0.46.6.4 / 1.43.x < 1.43.7.3 / 1.44.x < 1.44.7.3 / 1.45.x < 1.45.4.3 / 1.46.x < 1.46.6.4

critical Nessus Plugin ID 261770

Language:

Synopsis

The remote host is affected by a vulnerability.

Description

The version of Metabase installed on the remote host is affected by a remote code execution vulnerability. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. This issue was fixed by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Metabase version 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, 1.46.6.4, or later.

See Also

http://www.nessus.org/u?a63249c4

Plugin Details

Severity: Critical

ID: 261770

File Name: metabase_CVE-2023-37470.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 9/9/2025

Updated: 9/9/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37470

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:metabase:metabase

Required KB Items: installed_sw/Metabase

Patch Publication Date: 8/4/2023

Vulnerability Publication Date: 8/4/2023

Reference Information

CVE: CVE-2023-37470

CWE: CWE-94