Metabase Local File Inclusion (CVE-2021-41277)
Description
Metabase versions prior to the patched releases contain a Local File Inclusion (LFI) vulnerability in the GeoJSON URL validation mechanism. This flaw allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and access environment variables by exploiting insufficient input validation when processing GeoJSON map data sources.
Remediation
Immediately upgrade Metabase to a patched version that addresses CVE-2021-41277. Refer to the official Metabase security advisory (GHSA-w73v-6p7p-fpfr) for specific version numbers that contain the fix. After upgrading, review server logs for any suspicious GeoJSON-related requests that may indicate exploitation attempts. Additionally, rotate any credentials or secrets that may have been exposed, including database passwords, API keys, and encryption keys stored in environment variables or configuration files.