Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an “extremely severe” flaw that could result in pre-authenticated remote code execution on affected installations.
Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1.
“An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on,” Metabase said in an advisory released last week.
