CVE-2022-39360
Metabase SSO users able to circumvent IdP login by doing password reset
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
Metabase es un software de visualización de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9, los usuarios de inicio de sesión único (SSO) podían restablecer sus contraseñas en Metabase, lo que podía permitir el acceso de un usuario sin pasar por el IdP de SSO. Este problema ha sido corregido en las versiones 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9 y 1.41.9. Metabase ahora bloquea el restablecimiento de la contraseña para todos los usuarios que usan SSO para su inicio de sesión en Metabase
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-10-26 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-304: Missing Critical Step in Authentication
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730 | 2022-10-28 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.41.0 < 0.41.9 Search vendor "Metabase" for product "Metabase" and version " >= 0.41.0 < 0.41.9" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.42.0 < 0.42.6 Search vendor "Metabase" for product "Metabase" and version " >= 0.42.0 < 0.42.6" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.43.0 < 0.43.7 Search vendor "Metabase" for product "Metabase" and version " >= 0.43.0 < 0.43.7" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 0.44.0 < 0.44.5 Search vendor "Metabase" for product "Metabase" and version " >= 0.44.0 < 0.44.5" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.41.0 < 1.41.9 Search vendor "Metabase" for product "Metabase" and version " >= 1.41.0 < 1.41.9" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.42.0 < 1.42.6 Search vendor "Metabase" for product "Metabase" and version " >= 1.42.0 < 1.42.6" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.43.0 < 1.43.7 Search vendor "Metabase" for product "Metabase" and version " >= 1.43.0 < 1.43.7" | - |
Affected
| ||||||
Metabase Search vendor "Metabase" | Metabase Search vendor "Metabase" for product "Metabase" | >= 1.44.0 < 1.44.5 Search vendor "Metabase" for product "Metabase" and version " >= 1.44.0 < 1.44.5" | - |
Affected
|