module
Metabase Setup Token RCE
Disclosed | Created |
---|---|
07/22/2023 | 08/09/2023 |
Disclosed
07/22/2023
Created
08/09/2023
Description
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
is accessible even after the setup process has been completed. With this token
a user is able to submit the setup functionality to create a new database.
When creating a new database, an H2 database string is created with a TRIGGER
that allows for code execution. We use a sample database for our connection
string to prevent corrupting real databases.
Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.
is accessible even after the setup process has been completed. With this token
a user is able to submit the setup functionality to create a new database.
When creating a new database, an H2 database string is created with a TRIGGER
that allows for code execution. We use a sample database for our connection
string to prevent corrupting real databases.
Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.
Authors
h00dieMaxwell GarrettShubham Shah
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/metabase_setup_token_rce msf /(e) > show actions ...actions... msf /(e) > set ACTION < action-name > msf /(e) > show options ...show and set options... msf /(e) > run

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.