CVE-2021-41277

Metabase GeoJSON API Local File Inclusion Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

Metabase es una plataforma de análisis de datos de código abierto. En las versiones afectadas se ha detectado un problema de seguridad con el soporte de mapas GeoJSON personalizados ("admin->settings->maps->custom maps->add a map") y la posible inclusión de archivos locales (incluyendo variables de entorno). Las URLs no se comprueban antes de ser cargadas. Este problema se ha corregido en una nueva versión de mantenimiento (0.40.5 y 1.40.5), y en cualquier otra versión posterior. Si no puede actualizar inmediatamente, puede mitigar esto incluyendo reglas en su proxy inverso o balanceador de carga o WAF para proporcionar un filtro de comprobación antes de la aplicación.

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-11-17 CVE Published
2021-11-22 First Exploit
2024-11-12 Exploited in Wild
2024-11-13 CVE Updated
2024-11-15 EPSS Updated
2024-12-03 KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (11)

URL	Tag	Source
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr	Third Party Advisory

URL	Date	SRC
https://github.com/tahtaciburak/CVE-2021-41277	2021-11-25
https://github.com/zer0yu/CVE-2021-41277	2021-12-06
https://github.com/Seals6/CVE-2021-41277	2021-11-22
https://github.com/z3n70/CVE-2021-41277	2021-11-22
https://github.com/kap1ush0n/CVE-2021-41277	2021-11-22
https://github.com/TheLastVvV/CVE-2021-41277	2021-11-24
https://github.com/chengling-ing/CVE-2021-41277	2022-03-11
https://github.com/kaizensecurity/CVE-2021-41277	2021-11-24
https://github.com/RubXkuB/PoC-Metabase-CVE-2021-41277	2023-10-19

URL	Date	SRC
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				0.40.0 Search vendor "Metabase" for product "Metabase" and version "0.40.0"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				0.40.1 Search vendor "Metabase" for product "Metabase" and version "0.40.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				0.40.2 Search vendor "Metabase" for product "Metabase" and version "0.40.2"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				0.40.3 Search vendor "Metabase" for product "Metabase" and version "0.40.3"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				0.40.4 Search vendor "Metabase" for product "Metabase" and version "0.40.4"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				1.40.0 Search vendor "Metabase" for product "Metabase" and version "1.40.0"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				1.40.1 Search vendor "Metabase" for product "Metabase" and version "1.40.1"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				1.40.2 Search vendor "Metabase" for product "Metabase" and version "1.40.2"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				1.40.3 Search vendor "Metabase" for product "Metabase" and version "1.40.3"		-		Affected
Metabase Search vendor "Metabase"		Metabase Search vendor "Metabase" for product "Metabase"				1.40.4 Search vendor "Metabase" for product "Metabase" and version "1.40.4"		-		Affected