CVE-2023-38646: Critical RCE Vulnerability in Metabase — What You Need to Know

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Metabase is a popular open-source data analytics and visualization tool that connects to multiple data sources — from databases to cloud services and APIs.

Recently, a critical Remote Code Execution (RCE) vulnerability was disclosed in Metabase (CVE-2023-38646). Although the vendor has released patched versions, security scans still show a large number of vulnerable systems exposed online.

Our emergency response team analyzed the flaw and released two detection tools: X-POC (remote detection) and CloudWalker (local detection), both available for free.

---

Vulnerability Description

An unauthenticated attacker can exploit CVE-2023-38646 to execute arbitrary commands on the target system with the same permissions as the Metabase server process.

⚠️ Important: Even after upgrading, the patch only takes effect once the installation process is fully completed. Systems left in an uninitialized state remain exploitable.

---

Detection Tools

1. X-POC Remote Scanner

Run the following command for remote detection:

xpoc -r 403 -t http://target.com

• Download: GitHub | Chaitin Stack

2. CloudWalker Local Scanner

Execute on the host for safe local scanning:

./metabase_rce_cve_2023_38646_scanner_linux_amd64

• Download: Chaitin Stack

---

Affected Versions

• Metabase Open Source

  • < 0.46.6.1
  • < 0.45.4.1
  • < 0.44.7.1
  • < 0.43.7.2

• Metabase Enterprise

  • < 1.46.6.1
  • < 1.45.4.1
  • < 1.44.7.1
  • < 1.43.7.2

---

Mitigation and Fixes

Temporary Workaround:

• Restrict access with ACL/network rules (e.g., allow only trusted IP ranges).

Permanent Fix:

• Upgrade immediately to the patched versions provided by Metabase:

  • Official advisory
  • Release builds

Notes:

• For open-source users, download the pre-packaged JAR file.
• For Docker users, pull the latest secure image.
• Always back up your data before upgrading.
• Ensure the application is fully initialized and accessible after installation, otherwise the system may still be vulnerable.

---

Product Support

• YunTu: Fingerprint recognition + PoC-based detection.
• Dongjian: Supports custom PoC scanning.
• SafeLine WAF: Released a virtual patch to block exploit attempts.
• Quanxi: Rule updates available for exploit detection.
• CloudWalker: Supports detection with EMERVULN-23.07.025 update (platform v23.05.001+).

---

Timeline

• July 20, 2023 — Official advisory + patch released
• July 24, 2023 — Vulnerability intel received by Chaitin CERT
• July 25, 2023 — Vulnerability reproduced and confirmed
• July 26, 2023 — Public advisory issued by Chaitin

---

Key Takeaway

If you’re running Metabase < patched versions, your server is at serious risk of remote takeover.
Patch immediately, restrict access, and use the detection tools above to validate your environment.

Meanwhile, consider deploying SafeLine WAF to add a layer of virtual patching and block exploitation attempts in real-time.

---

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community