Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in Metabase, an open-source business intelligence tool, could allow an attacker to execute arbitrary code on the server. This is possible by exploiting a flaw in how Metabase configures certain database connections, potentially enabling unauthorized access and modification of system files. The main concern is to confirm if this specific technology is in use and assess any exposure.
- Flaw allows code execution on Metabase servers.
- Confirms use and exposure of BI tool.
- Prioritize verifying relevance and potential impact.
Attack Path
How an attacker could exploit the issue
An attacker can achieve remote code execution by tricking a Metabase user into configuring a database connection to a malicious server. This leverages a flaw in the Snowflake JDBC driver to write files onto the Metabase host, eventually leading to the execution of arbitrary code within the Metabase process.
- Network access required.
- Malicious database connection configuration.
- Remote code execution.
Live Threat
Current exploitation, exposure, and threat context
A Metabase user with database connection privileges could execute arbitrary code on the server by configuring a malicious Snowflake connection. This could allow an attacker to replace Metabase's database driver files, leading to the execution of arbitrary code within the Metabase process when the driver is next used.
- Metabase server code execution.
- Malicious database connection configuration.
- System compromise and data access.
Operational Fix
Recommended remediation, mitigation, and detection steps
Real-world responsibility for this vulnerability likely falls to the application owners responsible for the Metabase instances and potentially platform or infrastructure teams managing the underlying server. The first practical move is to identify all Metabase deployments, confirm their reachability and business criticality, and then assign ownership for remediation to the accountable party before planning a coordinated update.
- Application owners should own the issue.
- Verify external reachability and business criticality.
- Plan and execute controlled upgrades.