CVE-2021-41277: 
NixOS vulnerability analysis and mitigation

CVE-2021-41277 is a security vulnerability discovered in Metabase, an open-source data analytics platform used by over 60,000 companies. The vulnerability affects the custom GeoJSON map feature (accessed via admin->settings->maps->custom maps->add a map) in versions x.40.0-x.40.4, where URLs were not properly validated prior to being loaded. The issue was disclosed in October 2021 and has been assigned a CVSS v3.1 base score of 9.9 (Critical) (GitHub Advisory).

The vulnerability stems from improper validation of user-supplied input in the custom GeoJSON map feature. The security flaw allows for potential local file inclusion, including access to environment variables, due to URLs not being properly validated before being loaded. The vulnerability has been assigned CWE-22 (Path Traversal) and CWE-200 (Information Disclosure) classifications (NVD, GitHub Advisory).

Successful exploitation of this vulnerability could lead to unauthorized access to server files and environment variables, potentially exposing sensitive information to unauthorized users. The vulnerability has been detected by more than 30,000 sensors, indicating widespread attack attempts (FortiGuard).

The vulnerability has been patched in versions 0.40.5, 1.40.5, and any subsequent releases (including x.41+). For organizations unable to upgrade immediately, temporary mitigation can be implemented through reverse proxy, load balancer, or WAF rules. Recommended configurations include blocking the /api/geojson endpoint completely or implementing specific filtering rules in ALB or Nginx to prevent access to file URIs and metadata API URLs (GitHub Advisory).

The vulnerability was discovered and reported by multiple security researchers, including @XNL_h4ck3r, @iBruteSec, @Vermsec, @HolyBugx, and @Netmous3. The issue has gained significant attention due to Metabase's widespread use across various organizations, including major companies like Capital One and OpenAI (GitHub Advisory).