Description

Acunetix determined that it was possible to access Metabase's sensitive files without authentication.

Remediation

Upgrade to the latest version of Metabase

References

GeoJSON URL validation can expose server files and environment variables to unauthorized users

Related Vulnerabilities

WordPress 5.7.x Multiple Vulnerabilities (5.7 - 5.7.7)

Unrestricted access to Odoo DB manager

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.14)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Information Disclosure (1.8.11)

WordPress Plugin W3 Total Cache Information Disclosure (0.9.2.4)

Severity

High

Classification

CVE-2021-41277 CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion