Metabase version 0.46.6 pre-authentication remote code execution exploit.
12ec4ccc18bfbb1b00d57a614e06d901073104741529ac741a8598bcfc795479
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.
0a49c9f4d4d3d065adc61a8d542b1a3379563811b2a4fdfe39b4bc3102f9d059