CVE-2021-41277

Name of the Vulnerable Software and Affected Versions Metabase versions prior to 0.40.5 Metabase versions prior to 1.40.5

Description A security issue has been discovered in Metabase, an open source data analytics platform, related to the custom GeoJSON map support and potential local file inclusion, including environment variables. The issue arises because URLs were not validated prior to being loaded. This can be exploited through the /api/geojson endpoint by manipulating the url parameter, for example, GET /api/geojson?url=file:/etc/passwd HTTP/1.1. The issue is fixed in maintenance releases 0.40.5 and 1.40.5, and any subsequent releases.

Recommendations For versions prior to 0.40.5, update to version 0.40.5 or later. For versions prior to 1.40.5, update to version 1.40.5 or later. As a temporary workaround, consider including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.