11/5/2023 0 Comments Api metabaseH2 db driver uses an INIT parameter which is an SQL query for the initiation of the database connection. This endpoint takes the JDBC URI value as part of the POST request.Īn SQL injection was found in the H2 db driver, which has the INIT parameter. This means that there was another change in the metabase critical flow that led to the setup token prevailing on the vulnerable instances.įurthermore, Metabase prompts users to connect to a data source in which the /api/setup/validate endpoint was found. This was due to the fact that there was a codebase commit change in Jan 2022 which had the “setup/clear-token!” Value set. Other instances had the “setup-token”:null. There were several instances where the Metabase did not wipe the setup-token value. /api/sessions/properties endpoint also exposed the setup-token, which was accessible without authentication.HTML source of index/login page has the setup-token in a JSON object.However, reports indicate that some Metabase instances still had the setup token accessible to unauthenticated users by the following methods, The setup token was configured to be used only once and erased after use. When setting up the Metabase initially, a setup token is provided to the users, which allows users to complete the setup process. In addition, the exploit does not require any special configurations on the Metabase.ĭocker run -d -p 3000:3000 –name metabase metabase/metabase:v0.46.6 Metabase Critical FlawĪs per the report from Assetnote, more than 20,000 instances of Metabase were exposed to the internet, which also exposes sensitive data sources that are connected to these Metabase instances.Ī pre-auth RCE on these instances would open a kingdom of information for a threat actor.įor achieving pre-auth RCE, the researchers initially started a vulnerable Metabase instance with the below command, which starts the instance on port 3000. The project has over 33,000 stars on GitHub, which has recently patched several vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |