CVE-2021-41277
📋 TL;DR
This vulnerability in Metabase allows attackers to exploit the custom GeoJSON map feature to perform local file inclusion attacks. By submitting malicious URLs that aren't validated, attackers can read sensitive files including environment variables. All Metabase instances with the custom maps feature enabled are affected.
💻 Affected Systems
- Metabase
📦 What is this software?
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through credential theft from environment variables, leading to database access, privilege escalation, and potential lateral movement.
Likely Case
Sensitive data exposure including database credentials, API keys, and configuration files, potentially leading to data breaches.
If Mitigated
Limited impact with proper network segmentation and access controls, though sensitive information could still be exposed.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability. CISA lists this as known exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.40.5 or 1.40.5 and later
Vendor Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
Restart Required: Yes
Instructions:
1. Backup your Metabase instance and database. 2. Stop Metabase service. 3. Update to version 0.40.5/1.40.5 or later. 4. Restart Metabase service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Reverse Proxy URL Validation
allConfigure reverse proxy (nginx, Apache, etc.) to block requests containing file:// or other local file paths to the custom maps endpoint.
# Example nginx location block:
location /api/geojson {
if ($args ~* "file://") {
return 403;
}
}
Disable Custom Maps Feature
allRemove or restrict access to the custom GeoJSON maps functionality in Metabase settings.
# Modify Metabase configuration to disable custom maps
# Or use environment variable: MB_CUSTOM_GEOJSON=false
🧯 If You Can't Patch
- Implement strict WAF rules to block file:// protocol and local file paths in requests to /api/geojson endpoints.
- Network segmentation: Isolate Metabase instances from sensitive systems and implement strict outbound firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check Metabase version via admin panel or API endpoint /api/session/properties. If version is below 0.40.5 or 1.40.5, you are vulnerable.Check Version:
curl -s http://metabase-host/api/session/properties | grep -o '"version":"[^"]*"'Verify Fix Applied:
After updating, verify version is 0.40.5/1.40.5 or higher. Test custom maps functionality with valid URLs only.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /api/geojson with file:// URLs
- Failed file read attempts in application logs
- Unusual admin activity on maps settings
Network Indicators:
- Outbound connections from Metabase to internal file shares
- HTTP requests with file:// protocol in payloads
SIEM Query:
source="metabase.logs" AND (uri_path="/api/geojson" AND (url="*file://*" OR user_agent="*curl*" OR user_agent="*wget*"))🔗 References
- https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0
- https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
