Metabase RCE (CVE-2023-38646)
Description
Metabase versions prior to 0.46.6.1 and 0.45.4.1 contain a critical remote code execution vulnerability (CVE-2023-38646) that allows attackers to execute arbitrary commands on the server. The vulnerability exists in the setup token validation mechanism, which can be exploited before the initial setup is completed or if the setup token is exposed.
Remediation
Immediately upgrade Metabase to version 0.46.6.1 or later (or 0.45.4.1 if using the 0.45.x branch). Follow these steps:
1. Back up your Metabase application database and configuration files
2. Download the patched version from the official Metabase repository
3. Stop the Metabase service
4. Replace the existing Metabase JAR file with the updated version
5. Restart the Metabase service
6. Verify the setup token is not exposed in environment variables or configuration files
7. If Metabase setup was never completed, complete it immediately to invalidate the default setup token
As an additional security measure, ensure the MB_SETUP_TOKEN environment variable is unset after initial setup is complete, and implement network-level access controls to restrict access to the Metabase instance.