External risk intelligence

Metabase Local File Inclusion Vulnerability

CVE advisoryKnown Exploit

CVE-2021-41277

Metabase analytics platforms are affected by a local file inclusion vulnerability. This issue can allow attackers to access sensitive files and environment variables, potentially exposing credentials and system configurations. This poses a business risk through unauthorized data exposure and could facilitate further ne

4Halo Surface Signal

Information Disclosure

Metabase

0.40.00.40.10.40.20.40.30.40.41.40.01.40.11.40.21.40.31.40.4

External exposure likelihood

Halo Surface Signal score for CVE-2021-41277

Metabase is a widely used data analytics and business intelligence platform designed to be deployed as a web application. It is commonly hosted as a centralized web-based interface for internal or external users to access data dashboards and analytics, making its web interface a standard, reachable network service.

Horizon Alert

Summary of the vulnerability and why it matters

Metabase, an open-source data analytics platform, has a security flaw related to its custom map feature. This weakness allows unauthorized access to local files, including environment variables, by not properly validating URLs. The potential impact includes unauthorized data exposure, affecting the confidentiality of sensitive information.

Vulnerable component: Custom map feature
Core weakness: Unvalidated URLs
Main business impact: Data exposure

Attack Path

How an attacker could exploit the issue

This vulnerability in the Metabase analytics platform allows an attacker to access sensitive files on the server. The attack involves manipulating URLs within the custom map feature to read arbitrary files, including environment variables. This could expose system configurations and credentials to the attacker.

Publicly accessible Metabase instance.
Attacker sends malicious URL.
Attacker accesses local files.

Live Threat

Current exploitation, exposure, and threat context

Metabase, an open-source data analytics platform, experienced a security vulnerability that allowed for the inclusion of local files. This could expose environment variables and sensitive data. The issue was addressed in maintenance releases starting with version 0.40.5 and 1.40.5. Organizations unable to immediately upgrade can implement mitigation rules in their reverse proxy, load balancer, or Web Application Firewall to validate URLs before they reach the application.

Attackers with low skill.
No prior access needed.
High business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A security vulnerability in Metabase, a data analytics platform, could allow unauthorized access to local files. This is due to how the custom GeoJSON map feature handles URLs. This issue poses a business risk by potentially exposing sensitive information.

Identify Metabase instances and their configurations.
Isolate affected systems or implement proxy/WAF rules.
Apply the vendor fix, verify, and monitor.

Frequently asked questions

What is Metabase and its primary use case?

Metabase is an open-source platform for data analytics, enabling users to explore data and create visual dashboards. Its main purpose is to make business intelligence easily accessible within an organization, allowing individuals to query data and gain insights.

What type of weaknesses are associated with CVE-2021-41277 in Metabase?

CVE-2021-41277 represents a Local File Inclusion vulnerability (CWE-22) and an Information Exposure weakness (CWE-200). These weaknesses allow an attacker to potentially read sensitive files on the Metabase server by exploiting the way custom map feature handles URLs.

How can an attacker exploit the custom map feature in Metabase?

An attacker can exploit the custom map feature by crafting malicious URLs that are not properly validated before being loaded. This allows them to include local files, potentially leading to the exposure of environment variables and other sensitive data residing on the server.

What is the relevance of CVE-2021-41277 for Metabase users, according to Halo Surface Signal?

Halo Surface Signal assesses the relevance of CVE-2021-41277 as 'Likely' due to Metabase being a widely used web application for data analytics, commonly deployed as a centralized interface accessible over the network.

What steps should be taken to address the Metabase local file inclusion vulnerability?

To address this vulnerability, identify all Metabase instances, isolate affected systems, or implement validation rules on reverse proxies or WAFs. Applying the vendor-provided fix in maintenance releases (0.40.5 and 1.40.5, or later) and subsequent monitoring are crucial practical responses.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.