CVE-2021-41277

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0	Patch Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:metabase:metabase:0.40.0:-::::::
	cpe:2.3:a:metabase:metabase:0.40.1:::::::*
	cpe:2.3:a:metabase:metabase:0.40.2:::::::*
	cpe:2.3:a:metabase:metabase:0.40.3:::::::*
	cpe:2.3:a:metabase:metabase:0.40.4:::::::*
	cpe:2.3:a:metabase:metabase:1.40.0:-::::::
	cpe:2.3:a:metabase:metabase:1.40.1:::::::*
	cpe:2.3:a:metabase:metabase:1.40.2:::::::*
	cpe:2.3:a:metabase:metabase:1.40.3:::::::*
	cpe:2.3:a:metabase:metabase:1.40.4:::::::*

History

07 Nov 2023, 03:38

Type	Values Removed	Values Added
Summary	Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If youâ€™re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.	Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

17 Jul 2023, 15:16

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-22

23 Nov 2021, 14:48

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr -~~	(CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Third Party Advisory
References	~~(MISC) https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 -~~	(MISC) https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch, Third Party Advisory
CWE	~~CWE-200~~	CWE-20
CPE		cpe:2.3:a:metabase:metabase:0.40.1:::::::* cpe:2.3:a:metabase:metabase:1.40.3:::::::* cpe:2.3:a:metabase:metabase:0.40.4:::::::* cpe:2.3:a:metabase:metabase:1.40.0:-:::::: cpe:2.3:a:metabase:metabase:1.40.4:::::::* cpe:2.3:a:metabase:metabase:1.40.2:::::::* cpe:2.3:a:metabase:metabase:0.40.3:::::::* cpe:2.3:a:metabase:metabase:0.40.2:::::::* cpe:2.3:a:metabase:metabase:0.40.0:-:::::: cpe:2.3:a:metabase:metabase:1.40.1:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~10.0~~	v2 : 5.0 v3 : 7.5

17 Nov 2021, 20:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-11-17 20:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-41277

Mitre link : CVE-2021-41277

CVE.ORG link : CVE-2021-41277

JSON object : View

Products Affected

metabase

metabase

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-41277

7.5^/10

5.0^/10

Attach tags to `CVE-2021-41277`