CVE-2021-41277: Metabase local file inclusion vulerability alert
Metabase is the easy, open-source way for everyone in your company to ask questions and learn from data. On November 22, 2021, we found that the poc of Metabase local file inclusion vulnerability has been published on the Internet, the vulnerability number is CVE-2021-41277 with the CVSSv3 score of 9.9, the vulnerability level is serious.
a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). Only versions x.40.0-x.40.4 are affected.
This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that (including x.41+).
If you’re on an affected version (x.40.0-x.40.4), upgrade immediately.
If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF. Here are examples for ALB and Nginx, though it is recommended to block the endpoint /api/geojson completely: