SSB-2023-002 - Major vulnerability in Metabase
| CVSS score v3.1 | |
|---|---|
| Base | 10.0 |
| Temporal | 8.7 |
| Environmental | 8.7 |
A major vulnerability (CVE-2023-38646) has been reported in the third-party product Metabase.
We currently estimate its CVSS score between 8.7 and 10.
This is not, in any way, a vulnerability in the Scalingo platform. But as some of our users are deploying this tool, and due to its severity, we have decided to publish a security bulletin.
Furthermore, as we maintain an easy installer for Metabase (buildpack), it is our duty to inform as many users as possible.
The vulnerability is a “Remote Code Execution” and will allow an attacker to take total control of your Metabase instance, and possibly to connect to your datasources and exfiltrate data.
This can have integrity, availability or confidentiality impacts.
The affected code has been corrected by Metabase, and we have contacted the potentially impacted customers with an individual message.
We advise all our customers using Metabase to immediately update it (see What you should do)
Incident Analysis
On 21/07/2023, our internal vulnerability watch process reported this blog post on Metabase’s blog: https://www.metabase.com/blog/security-advisory
A quick assessment, led us to classify the vulnerability with a HIGH severity. We shut down our Metabase instance and diverted a developer to work the deployment of the fix immediately.
In the meantime, our analysis gave us a CVSS Score of 10.0 (10.0/8.7/8.7).
There are currently no indicators of compromise (IoC), but to our knowledge there has been no data leak.
Incident Response
Timeline
| 2023-07-21 15:00 | Internal report |
| 2023-07-21 15:00 | Developer starts to work on fix |
| 2023-07-21 15:15 | Engineer starts to analyse the vulnerability |
| 2023-07-21 16:00 | Internal Metabase instances are shutdown |
| 2023-07-21 16:45 | Metabase buildpack fixed and tested |
| 2023-07-21 17:00 | Internal Metabase instances fixed and restarted |
| 2023-07-26 | Publication of this Bulletin |
What you should do
We advise all our customers using Metabase to immediately update Metabase using the following instructions:
-
If you are using Scalingo’s buildpack (https://github.com/Scalingo/metabase-scalingo):
-
ensure METABASE_VERSION is defined to either v0.46.6.1 or “latest”
-
trigger a new deployment
-
-
If not, please install the version specified here https://www.metabase.com/blog/security-advisory
What we will do in the future
- Continue to update this Security Bulletin
Product Impacts
Scalingo PaaS
No impact
Scalingo DBaaS addons
No impact
Other Scalingo addons and services
No impact
Changelog
| 2023-07-26 | First version |