CVE-2021-41277:

Path Traversal Vulnerability in Metabase Custom GeoJSON Maps Feature

Score
A numerical rating that indicates how dangerous this vulnerability is.

7.5High

Published Date:Nov 17, 2021
CISA KEV Date:Nov 12, 2024
Industries Affected:20

Armis Early Warning:

1091 Days

Threat Predictions

EPSS Score:94.4
EPSS Percentile:100%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:HIGH
Integrity Impact:NONE
Availability Impact:NONE

Description Preview

Path Traversal Vulnerability in Metabase Custom GeoJSON Maps Feature

Overview

Metabase, an open source data analytics platform, contained a security vulnerability in its custom GeoJSON map feature accessible through the admin settings (admin->settings->maps->custom maps->add a map). The vulnerability stems from improper validation of URLs before they are loaded, which could lead to local file inclusion. This could allow attackers to access sensitive files and environment variables on the server hosting the Metabase instance. The vulnerability is particularly concerning as it could expose configuration details, credentials, and other sensitive information that might be stored in environment variables or local files.

Remediation

To address this vulnerability, users should upgrade to Metabase version 0.40.5, 1.40.5, or any subsequent release that contains the security fix. If immediate upgrading is not possible, a temporary mitigation strategy is to implement validation rules in your reverse proxy, load balancer, or Web Application Firewall (WAF) to filter and validate requests before they reach the Metabase application. Organizations should also review access logs for any suspicious activities that might indicate exploitation attempts of this vulnerability.