CVE-2021-41277
CRITICAL KEV NUCLEIMetabase - Path Traversal and Local File Inclusion via Custom GeoJSON Map URL
Title source: llmExploitation Summary
CVE-2021-41277 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 12, 2024. EIP tracks 10 public exploits from researchers including tahtaciburak, zer0yu, z3n70. A Nuclei detection template is also available.
AI-analyzed exploit summary This PoC exploits a Local File Inclusion (LFI) vulnerability in Metabase by sending a crafted HTTP request to read arbitrary files (e.g., /etc/passwd). It checks for the presence of 'root:' in the response to confirm vulnerability.
Description
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Exploits (10)
This PoC exploits a Local File Inclusion (LFI) vulnerability in Metabase by sending a crafted HTTP request to read arbitrary files (e.g., /etc/passwd). It checks for the presence of 'root:' in the response to confirm vulnerability.
This repository contains a Go-based proof-of-concept for CVE-2021-41277, an information disclosure vulnerability in Metabase. The exploit checks for the vulnerability by attempting to read the /etc/passwd file via a crafted GeoJSON API request.
This repository contains a Ruby script that scans a list of domains for CVE-2021-41277, an SSRF vulnerability in Metabase. It checks for the presence of '/etc/passwd' content in the response to determine vulnerability.
This repository contains a writeup describing CVE-2021-41277, a local file inclusion vulnerability in Metabase's custom GeoJSON map feature. The issue allows unvalidated URLs to be loaded, potentially leading to information disclosure.
This script checks for CVE-2021-41277, a local file inclusion vulnerability in Metabase versions x.40.0-x.40.4. It attempts to read /etc/passwd via the GeoJSON API endpoint to confirm vulnerability.
This repository contains a Go-based plugin for LeakIX designed to detect CVE-2021-41277, a Local File Inclusion (LFI) vulnerability in Metabase. The plugin sends a crafted HTTP request to exploit the LFI and verifies the response for signs of successful exploitation.
This PoC exploits a local file inclusion vulnerability in Metabase's GeoJSON map feature (CVE-2021-41277) by sending a crafted request to read arbitrary files from the server. The script uses curl to fetch files via the vulnerable endpoint.
This repository contains a Python script that scans for CVE-2021-41277, an arbitrary file read vulnerability in Metabase. It uses the FOFA API to fetch potential targets and checks for vulnerability by attempting to read /etc/passwd.
This PoC exploits CVE-2021-41277, an arbitrary file read vulnerability in Metabase, by sending crafted requests to the `/api/geojson` endpoint with `file://` URLs to read sensitive files like `/etc/passwd` or `win.ini`.
This repository contains a functional Python script that exploits CVE-2021-41277, an arbitrary file read vulnerability in MetaBase. The script sends a crafted request to the '/api/geojson' endpoint with a 'file:/etc/passwd' payload to read sensitive files.
Nuclei Templates (1)
http.title:"Metabase" || http.title:"metabase"
app="Metabase" || title="metabase" || app="metabase"
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L