CVE-2021-41277

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 06:25

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 10.0
References () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch
References () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Mitigation, Third Party Advisory () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Mitigation, Third Party Advisory

14 Nov 2024, 15:26

Type Values Removed Values Added
References () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch, Third Party Advisory () https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0 - Patch
References () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Third Party Advisory () https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - Mitigation, Third Party Advisory
CPE cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*

07 Nov 2023, 03:38

Type Values Removed Values Added
Summary Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

17 Jul 2023, 15:16

Type Values Removed Values Added
CWE CWE-20 CWE-22

Information

Published : 2021-11-17 20:15

Updated : 2024-11-21 06:25


NVD link : CVE-2021-41277

Mitre link : CVE-2021-41277

CVE.ORG link : CVE-2021-41277


JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')