5
CVSSv2

CVE-2021-41277

Published: 17/11/2021 Updated: 23/11/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

metabase metabase 0.40.0

metabase metabase 0.40.1

metabase metabase 0.40.2

metabase metabase 0.40.3

metabase metabase 0.40.4

metabase metabase 1.40.0

metabase metabase 1.40.1

metabase metabase 1.40.2

metabase metabase 1.40.3

metabase metabase 1.40.4

Github Repositories

CVE-2021-41277 Metabase GeoJSON map local file inclusion Version: (x400-x404) Usage : chmod -x CVE-2021-41277sh /CVE-2021-41277sh ip:port/ /etc/passwd References cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-41277

CVE-2021-41277 PoC Metabase is an open source data analytics platform Local File Inclusion issue has been discovered in some versions of metabase Here is the PoC code in order to determine the target has this vulnerability or not An adversary could read arbitrary files in metabase server Build go build -o CVE-2021-41277 maingo Instal

Metabase_CVE-2021-41277 Description Metabase is an open source data analytics platform In affected versions a security issue has been discovered with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables) URLs were not validated prior to being loaded This

CVE-2021-41277 Metabase信息泄露批量扫描脚本

CVE-2021-41277 MetaBase 任意文件读取漏洞 fofa批量poc 声明 本poc仅用于检测目标是否存在漏洞,严禁用于任何非授权测试,作者不负任何责任。 使用说明 在fofatxt中填入fofa普通会员账号的email和key,如果是高级会员或者企业会员的话,在python程序中修改对应的可查询数据量 直接运行即可

Metabase-cve-2021-41277 Metabase 任意文件读取 optional arguments: -h, --help show this help message and exit -u url, --url url Target url eg:"127001" -f file, --file file Targets in file eg:"iptxt" Use eg1:>>>python3 Metabase-cve-2021-41277py -u 127001 eg2:>>>python3 Metabase-cve-2021-4127

CVE-2021-41277 MetaBase 任意文件读取漏洞 fofa批量poc 声明 本poc仅用于检测目标是否存在漏洞,严禁用于任何非授权测试,作者不负任何责任。 使用说明 在fofatxt中填入fofa普通会员账号的email和key,如果是高级会员或者企业会员的话,在python程序中修改对应的可查询数据量 直接运行即可

CVE-2021-41277 simple program for exploit metabase #install gem install httparty gem install colorize gem install timeout

CVE-2021-41277 plugin made for LeakiX