Metabase Installation Page Exposure Scanner
This scanner detects the use of Metabase Installation Page Exposure in digital assets. Inappropriate exposure of the installation page can allow unauthorized database setup and configuration. It identifies potential risks, ensuring digital asset safety and integrity.
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 19 hours
Scan only one
URL
Toolbox
Metabase is a popular open-source business intelligence tool that allows users to ask questions about their data and visualize the answers. It is widely used by businesses and organizations for data analysis and reporting purposes. Metabase is typically employed by data analysts, business users, and IT professionals to create and share dashboards and visual reports. The primary aim of Metabase is to provide an easy and user-friendly way for non-technical users to leverage data insights. The application can be integrated with various databases and platforms to pull and analyze data effectively. As such, ensuring that its setup and configuration are secure is crucial to protect sensitive data.
The vulnerability detected in this scanner pertains to the exposure of the Metabase installation page. Improper access controls can lead to the installation page being accessible to unauthorized users. When exposed, malicious actors can gain the ability to set up or reconfigure the database without proper authorization. This exposure can lead to unauthorized database modifications and potential data breaches. The scanner identifies whether the installation page is exposed unnecessarily, preventing security risks.
Technical details of this vulnerability revolve around the exposure of the installation endpoint, typically found at "/setup". The vulnerability is triggered when this endpoint is accessible without proper security measures. The scanner checks for status code 200 and specific elements in the page body indicating an exposed setup page. The presence of specific keywords like "has-user-setup":false and _metabaseBootstrap in the body confirms the exposure of the setup process.
Exploiting this exposure could allow unauthorized setup or modification of database configurations, leading to unauthorized access to sensitive data. Malicious entities could set up backdoors, access user information, or modify data without detection. Such unauthorized actions could severely impact data confidentiality, integrity, and availability. Moreover, it might lead to reputational damage and non-compliance with data protection regulations.
REFERENCES
