Statement from the Bluescape CISO Regarding the Recent Metabase Vulnerability

On July 20th, 2023 Metabase publicly announced a critical vulnerability had been detected which allows unauthenticated attackers to run arbitrary commands with the same access privileges as the Metabase server. https://www.metabase.com/blog/security-advisory

As a customer of Metabase, Bluescape was privately informed about the vulnerability by Metabase during the week of July 17th, 2023 and as a result, Bluescape held a meeting with the Metabase technical team within 24 hours. Based on these discussions, Bluescape was able to take appropriate actions to successfully nullify and remediate the vulnerability.

Based on internal and external forensic analysis with our security partners, there are no indications of improper access or data compromise of any kind. That said, Bluescape will continue to monitor the aftermath of the Metabase vulnerability to stay on top of any alerts that we may receive from third parties that require action.

If you have any further questions, please feel free to contact Bluescape Security at: security@bluescape.com

Sincerely,
Mark Willis
CISO, Bluescape