First published: Wed Nov 17 2021(Updated: )
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Metabase Metabase | =0.40.0 | |
Metabase Metabase | =0.40.1 | |
Metabase Metabase | =0.40.2 | |
Metabase Metabase | =0.40.3 | |
Metabase Metabase | =0.40.4 | |
Metabase Metabase | =1.40.0 | |
Metabase Metabase | =1.40.1 | |
Metabase Metabase | =1.40.2 | |
Metabase Metabase | =1.40.3 | |
Metabase Metabase | =1.40.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41277 is a security vulnerability discovered in Metabase, an open source data analytics platform.
The severity of CVE-2021-41277 is critical with a CVSS score of 7.5.
CVE-2021-41277 affects Metabase versions 0.40.0 to 0.40.4 and versions 1.40.0 to 1.40.4.
CVE-2021-41277 allows potential local file inclusion and can expose sensitive information through custom GeoJSON maps in Metabase.
To fix CVE-2021-41277, it is recommended to upgrade Metabase to the latest version available.