cbcvebase.
CVE-2021-41277
published 2021-11-17

CVE-2021-41277: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map…

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
97.18%
99.9th percentile
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

Affected

12 ranges
VendorProductVersion rangeFixed in
metabasemetabase< 0.40.50.40.5
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase
metabasemetabase

Detection & IOCsextracted from sources · hover to see the quote

url/api/geojson?url=file:///etc/passwd
url/api/geojson?url=file:///c://windows/win.ini
path/api/geojson
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: root:.*:0:0 (in HTTP response body)
bytes
/api/geojson?url=file|3a 2f|
  • Detect HTTP GET requests to /api/geojson with a 'url' parameter using the file:// scheme, indicating LFI exploitation of the Metabase GeoJSON API.
  • Shodan/FOFA queries can identify exposed Metabase instances: search for http.title:"Metabase" or title="metabase".
  • Responses containing 'root:.*:0:0' in the body confirm successful /etc/passwd exfiltration via the LFI.
  • On Windows targets, successful exploitation returns content including 'bit app support', 'fonts', and 'extensions' (from win.ini).
  • The exploit is unauthenticated (PR:N) and network-reachable (AV:N); any public-facing Metabase instance prior to 0.40.5/1.40.5 should be treated as vulnerable.
  • ·The vulnerability is fixed in Metabase versions 0.40.5 and 1.40.5 and any subsequent release; only instances running versions prior to these are exploitable.
  • ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck10.0CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.