← back
CVE-2021-41277

GeoJSON URL validation can expose server files and environment variables to unauthorized users

CVSS 10 CRITICALEPSS 96.9%● KEVCWE-200CWE-22
In short

Metabase failed to validate URLs when loading custom GeoJSON maps, allowing attackers to access sensitive files and environment variables on the server without authorization.

Technical detail

CWE-200/CWE-22: The application accepts arbitrary URLs in the GeoJSON map configuration endpoint without validation, enabling server-side request forgery (SSRF) and local file inclusion (LFI) attacks. An unauthenticated or low-privileged user can load file:// URLs to read local files and environment variables, exposing sensitive configuration data. Fixed in versions 0.40.5, 1.40.5, and later.

Summary generated and translated by AI from the official description.
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected products
metabase · metabase
public PoCs found9
githubgithub.com/tahtaciburak/CVE-2021-4127711githubgithub.com/zer0yu/CVE-2021-412779githubgithub.com/z3n70/CVE-2021-412775githubgithub.com/Vulnmachines/Metabase_CVE-2021-412774githubgithub.com/RubXkuB/PoC-Metabase-CVE-2021-412771githubgithub.com/kaizensecurity/CVE-2021-412770githubgithub.com/TheLastVvV/CVE-2021-412770githubgithub.com/kap1ush0n/CVE-2021-412770githubgithub.com/Henry4E36/Metabase-cve-2021-412770
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfrhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277