CVE-2021-41277: Metabase local file inclusion vulerability alert

Metabase is the easy, open-source way for everyone in your company to ask questions and learn from data. On November 22, 2021, we found that the poc of Metabase local file inclusion vulnerability has been published on the Internet, the vulnerability number is CVE-2021-41277 with the CVSSv3 score of 9.9, the vulnerability level is serious.

CVE-2021-41277

Vulnerability Detail

a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). Only versions x.40.0-x.40.4 are affected.

Solution

In this regard, we recommend that users upgrade Metabase to the latest version in time.

Patches

This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that (including x.41+).

Workarounds

If you’re on an affected version (x.40.0-x.40.4), upgrade immediately.

If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF. Here are examples for ALB and Nginx, though it is recommended to block the endpoint /api/geojson completely:

ALB

    Path containing /api/geojson

Query string of url is starting with "file:" or "http://169.254.169.254"
Return fixed response 403

Nginx: