Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
https://blog.xlab.qianxin.com/catddos-derivative-en/
https://www.metabase.com/blog/security-advisory
https://news.ycombinator.com/item?id=36812256
https://github.com/metabase/metabase/releases/tag/v0.46.6.1
https://github.com/metabase/metabase/issues/32552
http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html