Vulnerability Description
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | 0.40.0 |
Related Weaknesses (CWE)
References
- https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc3Patch
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfrMitigationThird Party Advisory
- https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc3Patch
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfrMitigationThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-US Government Resource
FAQ
What is CVE-2021-41277?
CVE-2021-41277 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and ...
How severe is CVE-2021-41277?
CVE-2021-41277 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-41277?
Check the references section above for vendor advisories and patch information. Affected products include: Metabase Metabase.