Summary

Researchers discovered that many Metabase instances exposed their setup tokens, which should be removed after setup. They traced the issue to a January 2022 code change that inadvertently retained the tokens due to a refactoring error. This vulnerability primarily affected instances set up after the change. Exploiting the flaw, they used the setup phase to execute code by abusing JDBC drivers, initially targeting the H2 database's INIT parameter and later finding a SQL injection vulnerability in the H2 driver. This allowed them to execute arbitrary code. To avoid damaging databases or the application, they used a sample H2 database from Metabase's JAR file. Patching should address these code issues and enhance security practices.

Description