Cyber Resilience

CVE-2021-41277

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 17 November 2021

Published
17 November 2021
Modified
24 October 2025
KEV Added
12 November 2024
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.9435 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-41277 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Metabase Metabase. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

Metabase, an open source data analytics platform, contains a path traversal and information disclosure vulnerability in its custom GeoJSON map feature under admin settings. Affected versions fail to validate URLs supplied when adding a custom map, allowing the application to load arbitrary local files including environment variables.

An unauthenticated remote attacker can supply a crafted URL to read sensitive files on the server filesystem, with the flaw carrying a CVSS score of 10.0 due to its network-accessible nature and lack of required privileges or user interaction. Successful exploitation can result in disclosure of configuration secrets and other high-impact data exposure.

The issue is addressed in maintenance releases 0.40.5 and 1.40.5, with the corresponding fix published in commit 042a36e. Official advisories recommend immediate upgrade or, as a temporary measure, deployment of validation rules in a reverse proxy, load balancer, or WAF in front of the application. The vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog.

EU & UK References

Vulnerability details

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior…

more

to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

CWE(s)
KEV Date Added
12 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

metabase
metabase
0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.40.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URL inputs before loading GeoJSON maps, blocking the path traversal that enables arbitrary local file reads.

prevent

Enforces boundary filtering via reverse proxy, WAF or load balancer rules to validate URLs before they reach the vulnerable Metabase endpoint.

prevent

Requires prompt application of the vendor patch (0.40.5/1.40.5) that adds the missing URL validation and eliminates the file-inclusion flaw.

References