SSB-2023-002 - Major vulnerability in Metabase

CVSS score v3.1
Base 10.0
Temporal 8.7
Environmental 8.7

A major vulnerability (CVE-2023-38646) has been reported in the third-party product Metabase.

We currently estimate its CVSS score between 8.7 and 10.

This is not, in any way, a vulnerability in the Scalingo platform. But as some of our users are deploying this tool, and due to its severity, we have decided to publish a security bulletin.

Furthermore, as we maintain an easy installer for Metabase (buildpack), it is our duty to inform as many users as possible.

The vulnerability is a “Remote Code Execution” and will allow an attacker to take total control of your Metabase instance, and possibly to connect to your datasources and exfiltrate data.

This can have integrity, availability or confidentiality impacts.

The affected code has been corrected by Metabase, and we have contacted the potentially impacted customers with an individual message.

We advise all our customers using Metabase to immediately update it (see What you should do)

Incident Analysis

On 21/07/2023, our internal vulnerability watch process reported this blog post on Metabase’s blog:

A quick assessment, led us to classify the vulnerability with a HIGH severity. We shut down our Metabase instance and diverted a developer to work the deployment of the fix immediately.

In the meantime, our analysis gave us a CVSS Score of 10.0 (10.0/8.7/8.7).

There are currently no indicators of compromise (IoC), but to our knowledge there has been no data leak.

Incident Response


2023-07-21 15:00 Internal report
2023-07-21 15:00 Developer starts to work on fix
2023-07-21 15:15 Engineer starts to analyse the vulnerability
2023-07-21 16:00 Internal Metabase instances are shutdown
2023-07-21 16:45 Metabase buildpack fixed and tested
2023-07-21 17:00 Internal Metabase instances fixed and restarted
2023-07-26 Publication of this Bulletin

What you should do

We advise all our customers using Metabase to immediately update Metabase using the following instructions:

What we will do in the future

  • Continue to update this Security Bulletin

Product Impacts

Scalingo PaaS

No impact

Scalingo DBaaS addons

No impact

Other Scalingo addons and services

No impact


2023-07-26 First version

Suggest edits

SSB-2023-002 - Major vulnerability in Metabase

©2024 Scalingo