CVE-2021-41277
Published: 17 November 2021
Summary
CVE-2021-41277 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Metabase Metabase. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
Metabase, an open source data analytics platform, contains a path traversal and information disclosure vulnerability in its custom GeoJSON map feature under admin settings. Affected versions fail to validate URLs supplied when adding a custom map, allowing the application to load arbitrary local files including environment variables.
An unauthenticated remote attacker can supply a crafted URL to read sensitive files on the server filesystem, with the flaw carrying a CVSS score of 10.0 due to its network-accessible nature and lack of required privileges or user interaction. Successful exploitation can result in disclosure of configuration secrets and other high-impact data exposure.
The issue is addressed in maintenance releases 0.40.5 and 1.40.5, with the corresponding fix published in commit 042a36e. Official advisories recommend immediate upgrade or, as a temporary measure, deployment of validation rules in a reverse proxy, load balancer, or WAF in front of the application. The vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-28310
Vulnerability details
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior…
more
to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
- CWE(s)
- KEV Date Added
- 12 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of URL inputs before loading GeoJSON maps, blocking the path traversal that enables arbitrary local file reads.
Enforces boundary filtering via reverse proxy, WAF or load balancer rules to validate URLs before they reach the vulnerable Metabase endpoint.
Requires prompt application of the vendor patch (0.40.5/1.40.5) that adds the missing URL validation and eliminates the file-inclusion flaw.