[2026-07-17T07:40:59Z] Source/image identity recorded in logs/vuln_variant/source_versions.txt [2026-07-17T07:40:59Z] Pulling product images metabase/metabase-enterprise:v1.61.1 and metabase/metabase-enterprise:v1.61.2 if needed [2026-07-17T07:41:03Z] Starting vuln Metabase product container on shared worker network port 33101 using metabase/metabase-enterprise:v1.61.1 [2026-07-17T07:41:34Z] vuln health endpoint is reachable [2026-07-17T07:41:34Z] Starting fixed Metabase product container on shared worker network port 33102 using metabase/metabase-enterprise:v1.61.2 [2026-07-17T07:42:04Z] fixed health endpoint is reachable [2026-07-17T07:42:05Z] vuln setup token obtained; creating admin via /api/setup [2026-07-17T07:42:05Z] vuln admin session acquired [2026-07-17T07:42:05Z] fixed setup token obtained; creating admin via /api/setup [2026-07-17T07:42:05Z] fixed admin session acquired [2026-07-17T07:42:05Z] vuln candidate 1: POST /api/database with unsafe H2 details [2026-07-17T07:42:05Z] vuln candidate 1 status=400 body={"message":"H2 is not supported as a data warehouse"} [2026-07-17T07:42:06Z] fixed candidate 1: POST /api/database with unsafe H2 details [2026-07-17T07:42:06Z] fixed candidate 1 status=400 body={"message":"H2 is not supported as a data warehouse"} [2026-07-17T07:42:06Z] vuln candidate 2: POST /api/ee/serialization/import with crafted H2 Database archive [2026-07-17T07:42:06Z] vuln candidate 2 status=500 body={"via":[{"type":"java.lang.ClassCastException","message":"class org.apache.logging.slf4j.Log4jLogger cannot be cast to class org.apache.logging.log4j.core.Logger (org.apache.logging.slf4j.Log4jLogger and org.apache.logging.log4j.core.Logger are in unnamed module of loader 'app')","at":["metabase.logger.core$effective_ns_logger","invokeStatic","core.clj",105]}],"trace":[["metabase.logger.core$effective_ns_logger","invokeStatic","core.clj",105],["metabase.logger.core$effective_ns_logger","invoke","core.clj",102],["clojure.core$mapv$fn__8569","invoke","core.clj",7059],["clojure.lang.PersistentVector","reduce","PersistentVector.java",418],["clojure.core$reduce","invokeStatic","core.clj",6964],["clojure.core$mapv","invokeStatic","core.clj",7050],["clojure.core$mapv","invoke","core.clj",7050],["metabase.logger.core$for_ns","invokeStatic","core.clj",155],["metabase.logger.core$for_ns","doInvoke","core.clj",148],["clojure.lang.RestFn","invoke","RestFn.java",445],["metabase_enterprise.serialization.api$unpack_AMPERSAND_import","invokeStatic","api.clj",122],["metabase_enterprise.serialization.api$unpack_AMPERSAND_import","doInvoke","api.clj",114],["clojure.lang.RestFn","invoke","RestFn.java" [2026-07-17T07:42:06Z] fixed candidate 2: POST /api/ee/serialization/import with crafted H2 Database archive [2026-07-17T07:42:06Z] fixed candidate 2 status=500 body={"via":[{"type":"java.lang.ClassCastException","message":"class org.apache.logging.slf4j.Log4jLogger cannot be cast to class org.apache.logging.log4j.core.Logger (org.apache.logging.slf4j.Log4jLogger and org.apache.logging.log4j.core.Logger are in unnamed module of loader 'app')","at":["metabase.logger.core$effective_ns_logger","invokeStatic","core.clj",105]}],"trace":[["metabase.logger.core$effective_ns_logger","invokeStatic","core.clj",105],["metabase.logger.core$effective_ns_logger","invoke","core.clj",102],["clojure.core$mapv$fn__8569","invoke","core.clj",7059],["clojure.lang.PersistentVector","reduce","PersistentVector.java",418],["clojure.core$reduce","invokeStatic","core.clj",6964],["clojure.core$mapv","invokeStatic","core.clj",7050],["clojure.core$mapv","invoke","core.clj",7050],["metabase.logger.core$for_ns","invokeStatic","core.clj",155],["metabase.logger.core$for_ns","doInvoke","core.clj",148],["clojure.lang.RestFn","invoke","RestFn.java",445],["metabase_enterprise.serialization.api$unpack_AMPERSAND_import","invokeStatic","api.clj",122],["metabase_enterprise.serialization.api$unpack_AMPERSAND_import","doInvoke","api.clj",114],["clojure.lang.RestFn","invoke","RestFn.java" [2026-07-17T07:42:06Z] vuln candidate scan: probe /api/ee/advanced-config runtime upload endpoint availability [2026-07-17T07:42:06Z] vuln advanced-config probe status=404 body="API endpoint does not exist." [2026-07-17T07:42:06Z] fixed candidate scan: probe /api/ee/advanced-config runtime upload endpoint availability [2026-07-17T07:42:06Z] fixed advanced-config probe status=404 body="API endpoint does not exist." [2026-07-17T07:42:06Z] No variant bypass confirmed. Candidate entry points were blocked or unavailable on the fixed product.