Impact

We've discovered a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). Only versions x.40.0-x.40.4 are affected.

Patches

This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that (including x.41+).

Workarounds

If you’re on an affected version (x.40.0-x.40.4), upgrade immediately.

If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF. Here are examples for ALB and Nginx, though it is recommended to block the endpoint /api/geojson completely:

ALB:

    Path containing /api/geojson
    Query string of url is starting with "file:" or "http://169.254.169.254"
    Return fixed response 403

Nginx:

location ~* /api/geojson {
  if ($args ~* "(^|&)url=(%|file|http.+169\.254\.\d+\.\d+)" ) {
    add_header Content-Type text/plain always;
    return 403 "File URIs and Metadata API URL are forbidden.";
  }
  rewrite ^(.*)$ $1 break;
  try_files $uri @metabase;
}

References

https://www.metabase.com/docs/latest/administration-guide/20-custom-maps.html

Credits

Thanks to (Twitter handles): @XNL_h4ck3r @iBruteSec @Vermsec @HolyBugx @Netmous3