CVE-2021-41277
HIGH CISA KEV
Published Nov 17, 20214y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Nov 17, 2021 4y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Nov 12, 2024 1y ago
KEV Due Dec 3, 2024 574d overdue
Description
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
CISA Known Exploited Overdue 574d
- Added
- Nov 12, 2024
- Due
- Dec 3, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 2
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-22 Path Traversal Resource Mgmt
Affected Products 10
References 3
- github.com https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0
- github.com https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
Remediation
- github.com https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0