CVE-2021-41277

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*

History

14 Nov 2024, 15:26

Type Values Removed Values Added
References () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch, Third Party Advisory () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch
References () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Third Party Advisory () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Mitigation, Third Party Advisory
CPE cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*

17 Jul 2023, 15:16

Type Values Removed Values Added
CWE CWE-20 CWE-22

23 Nov 2021, 14:48

Type Values Removed Values Added
CWE CWE-200 CWE-20
References (CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - (CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Third Party Advisory
References (MISC) https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - (MISC) https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : 10.0
v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:*:*:*:*

17 Nov 2021, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2021-11-17 20:15

Updated : 2024-11-14 15:26


NVD link : CVE-2021-41277

Mitre link : CVE-2021-41277

CVE.ORG link : CVE-2021-41277


JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor