Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-41277 PoC — GeoJSON URL validation can expose server files and environment variables to unauthorized users

Source
https://github.com/sasukeourad/CVE-2021-41277_SSRF
Associated Vulnerability
Title:GeoJSON URL validation can expose server files and environment variables to unauthorized users (CVE-2021-41277)
Description:Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Description
CVE-2021-41277 can be extended to an SSRF
Readme
# CVE-2021-41277_SSRF
CVE-2021-41277 can be extended to an SSRF 

## Description

[Metabase](https://github.com/metabase/metabase) is an open source data analytics platform. **Metabase versions < 0.40.5**  were affected by **CVE-2021-41277** which led to local file inclusion according to the [CVE description](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41277).

While analyzing the finding described in [Metabase Security Advisory](https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr) and diffing the code, it seemed that it can be extended to an **SSRF** since URL Schemas were not filtered. 


### POC || GTFO 

First test is to try to call an external server. This would be successfully performed as shown below. A Metabase instance would call an external server.
![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/ssrf_web.png)


Second test is to scan the internal network. It starts with making use of the LFI to identify the network:

![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/lfi.png)

Then, various IP addresses, ports can be probed to identify running services

![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/local_network.png)


Third test is to use a different schema. FTP to the resque. This would work too. Though it is important to note that Metabase does a good job forcing the response Content-Type which avoids escalating this attack to an RCE.

![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/ftp2.png)


Finally, this vulnerability allows attackers to reach internal AWS, google cloud pages which can leak sensitive information as shown below:

![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/aws2.png)

![IMAGE ALT TEXT HERE](https://raw.githubusercontent.com/sasukeourad/CVE-2021-41277_SSRF/main/Pictures/google_internal2.png)


#### Note!

This was responsibly disclosed to Metabase. I appreciate the response and professionalism of their security team.
File Snapshot

 [4.0K]  /data/pocs/5c41803bf8460a9dee1838fcd0058cc1fe9d9caf
├── [4.0K]  Pictures
│   ├── [100K]  aws2.png
│   ├── [116K]  ftp2.png
│   ├── [ 94K]  google_internal2.png
│   ├── [116K]  lfi.png
│   ├── [156K]  local_network.png
│   └── [ 65K]  ssrf_web.png
└── [2.1K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →