Skip to content

SSO users able to circumvent IdP login by doing password reset

High
ranquild published GHSA-gw4g-ww2m-v7vc Oct 24, 2022

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.44.5,<x.43.7,<x.42.6,<x.41.9

Patched versions

0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9

Description

Impact

SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP.

Patches

The following patches (or greater versions) are available:

  • 0.44.5 and 1.44.5,
  • 0.43.7 and 1.43.7,
  • 0.42.6 and 1.42.6,
  • 0.41.9 and 1.41.9

All releases are available on https://github.com/metabase/metabase/releases.

Mitigation

Metabase now blocks password reset for all users who use SSO for their Metabase login.

Severity

High

CVE ID

CVE-2022-39360

Weaknesses