This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Metabase has a critical **Pre-auth Remote Code Execution (RCE)** flaw. π **Consequences**: Attackers can execute arbitrary commands on the server with the same privileges as the Metabase service user.β¦
π‘οΈ **Root Cause**: The vulnerability stems from insufficient input validation in the data processing pipeline. It allows unauthenticated users to inject malicious payloads that are executed by the backend.β¦
π¦ **Affected Versions**: β’ **Open Source**: < 0.46.6.1, < 0.45.4.1, < 0.44.7.1, < 0.43.7.2 β’ **Enterprise**: < 1.46.6.1, < 1.45.4.1, < 1.44.7.1, < 1.43.7.2 β οΈ If you are running any version older than these, you are vulβ¦
π **Attacker Capabilities**: β’ **Full Control**: Execute ANY command on the host OS. β’ **Privileges**: Run as the user running the Metabase service (often root or high-privilege user).β¦
π₯ **Public Exploits**: **YES**. Multiple PoCs are available on GitHub (e.g., by @adriyansyah-mf, @Pumpkin-Garden, @0xrobiul, @Chocapikk). CVSS Score is **9.8** (Critical). Wild exploitation is highly likely.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Check your Metabase version in the UI footer. 2. Use the provided Python scripts (e.g., `check.py`) to scan for the vulnerability. 3.β¦
π¨ **Urgency**: **CRITICAL / IMMEDIATE**. β’ **Priority**: **P0**. β’ **Reason**: Pre-auth RCE with CVSS 9.8 and public exploits means automated bots are likely scanning for this NOW.β¦