CVE-2021-41277
published 2021-11-17CVE-2021-41277: Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map…
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
97.18%
99.9th percentile
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metabase | metabase | < 0.40.5 | 0.40.5 |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
| metabase | metabase | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: root:.*:0:0 (in HTTP response body)
bytes
/api/geojson?url=file|3a 2f|
- →Detect HTTP GET requests to /api/geojson with a 'url' parameter using the file:// scheme, indicating LFI exploitation of the Metabase GeoJSON API.
- →Shodan/FOFA queries can identify exposed Metabase instances: search for http.title:"Metabase" or title="metabase".
- →Responses containing 'root:.*:0:0' in the body confirm successful /etc/passwd exfiltration via the LFI.
- →On Windows targets, successful exploitation returns content including 'bit app support', 'fonts', and 'extensions' (from win.ini).
- →The exploit is unauthenticated (PR:N) and network-reachable (AV:N); any public-facing Metabase instance prior to 0.40.5/1.40.5 should be treated as vulnerable.
- ·The vulnerability is fixed in Metabase versions 0.40.5 and 1.40.5 and any subsequent release; only instances running versions prior to these are exploitable. ↗
- ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck10.0CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Metabase GeoJSON API Local File Inclusion Vulnerability
cisa·2024-11-12·CVSS 7.5
CVE-2021-41277 [HIGH] CWE-200 Metabase GeoJSON API Local File Inclusion Vulnerability
Vulnerability: Metabase GeoJSON API Local File Inclusion Vulnerability
Affected: Metabase Metabase
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr ; https://nvd.nist.gov/vuln/detail/CVE-2021-41277
Remediation Due Date: 2024-12-03
VulnCheck
Metabase GeoJSON API Local File Inclusion Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-41277 [CRITICAL] CWE-200 Metabase GeoJSON API Local File Inclusion Vulnerability
Metabase GeoJSON API Local File Inclusion Vulnerability
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.
Affected: Metabase Metabase
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-security-trends-cross-site-scripting/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2021-41277; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-41277; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&
Suricata
ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)
suricata·2021-11-22·CVSS 10.0
CVE-2021-41277 [CRITICAL] ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)
ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Nuclei
Metabase - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-41277 [HIGH] Metabase - Local File Inclusion
Metabase - Local File Inclusion
Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded.
Template:
id: CVE-2021-41277
info:
name: Metabase - Local File Inclusion
author: 0x_Akoko,DhiyaneshDK
severity: high
description: |
Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were n
Sentinelone
Singularity Cloud Native Security | Eliminate False Positives and Focus On What Matters
blogs_sentinelone·2024-07-31
Singularity Cloud Native Security | Eliminate False Positives and Focus On What Matters
Over the past few years, cloud computing has emerged as the de facto infrastructure of choice for the majority of new digital workloads created by organizations. The ease of use, scalability, and diverse set of cloud services are making the move to cloud computing more relevant and adopted.
However, a new IT environment comes with its own set of security challenges. According to SentinelOne’s 2024 Cloud Security Report , over 87% of organizations state that they have too many cloud security tools, resulting in security teams being in perpetual alert fatigue . The Offensive Security Engine™(OSE), an automated red teaming feature of Cloud Native Security, our agentless CNAPP, eliminates false positives to allow cloud security teams to focus on the truly exploitable issues.
This blog expl
Sentinelone
Singularity Cloud Native Security | Eliminate False Positives and Focus On What Matters
blogs_sentinelone·2024-07-31
Singularity Cloud Native Security | Eliminate False Positives and Focus On What Matters
Over the past few years, cloud computing has emerged as the de facto infrastructure of choice for the majority of new digital workloads created by organizations. The ease of use, scalability, and diverse set of cloud services are making the move to cloud computing more relevant and adopted.
However, a new IT environment comes with its own set of security challenges. According to SentinelOne’s 2024 Cloud Security Report, over 87% of organizations state that they have too many cloud security tools, resulting in security teams being in perpetual alert fatigue. The Offensive Security Engine™(OSE), an automated red teaming feature of Cloud Native Security, our agentless CNAPP, eliminates false positives to allow cloud security teams to focus on the truly exploitable issues.
This blog explai
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfrhttps://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3dc322f0https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfrhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277
2021-11-17
Published
2024-11-12
Added to CISA KEV
Exploited in the wild