一、 漏洞 CVE-2021-41277 基础信息
漏洞标题
GeoJSON URL验证可能将服务器文件和环境变量暴露给未经授权的用户
来源:AIGC 神龙大模型
漏洞描述信息
地理JSON URL验证可能会将服务器文件和环境变量暴露给未经授权的用户
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
来源:AIGC 神龙大模型
漏洞类别
N/A
来源:AIGC 神龙大模型
漏洞标题
GeoJSON URL validation can expose server files and environment variables to unauthorized users
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
来源:美国国家漏洞数据库 NVD
漏洞类别
信息暴露
来源:美国国家漏洞数据库 NVD
漏洞标题
Metabase 路径遍历漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase 中存在路径遍历漏洞,该漏洞源于产品的 admin->settings->maps->custom maps->add a map 操作缺少权限验证。攻击者可通过该漏洞获得敏感信息。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
路径遍历
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2021-41277 的公开POC
# POC 描述 源链接 神龙链接
1 Metabase任意文件读取漏洞批量扫描工具 https://github.com/Seals6/CVE-2021-41277 POC详情
2 PoC for CVE-2021-41277 https://github.com/tahtaciburak/CVE-2021-41277 POC详情
3 Metabase 任意文件读取 https://github.com/Henry4E36/Metabase-cve-2021-41277 POC详情
4 MetaBase 任意文件读取漏洞 fofa批量poc https://github.com/kap1ush0n/CVE-2021-41277 POC详情
5 simple program for exploit metabase https://github.com/z3n70/CVE-2021-41277 POC详情
6 plugin made for LeakiX https://github.com/kaizensecurity/CVE-2021-41277 POC详情
7 None https://github.com/Vulnmachines/Metabase_CVE-2021-41277 POC详情
8 Metabase GeoJSON map local file inclusion https://github.com/TheLastVvV/CVE-2021-41277 POC详情
9 None https://github.com/zer0yu/CVE-2021-41277 POC详情
10 CVE-2021-41277 can be extended to an SSRF https://github.com/sasukeourad/CVE-2021-41277_SSRF POC详情
11 It is a nmap script for metabase vulnerability (CVE-2021-41277) https://github.com/frknktlca/Metabase_Nmap_Script POC详情
12 MetaBase 任意文件读取 https://github.com/Chen-ling-afk/CVE-2021-41277 POC详情
13 None https://github.com/RubXkuB/PoC-Metabase-CVE-2021-41277 POC详情
14 MetaBase 任意文件读取 https://github.com/chengling-ing/CVE-2021-41277 POC详情
15 It is a nmap script for metabase vulnerability (CVE-2021-41277) https://github.com/grey-master-a/Metabase_Nmap_Script POC详情
16 Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-41277.yaml POC详情
17 None https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Metabase%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2021-41277.md POC详情
18 None https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Metabase%20geojson%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2021-41277.md POC详情
19 https://github.com/vulhub/vulhub/blob/master/metabase/CVE-2021-41277/README.md POC详情
三、漏洞 CVE-2021-41277 的情报信息