SSO users able to circumvent IdP login by doing password reset
Package
Metabase OSS and Enterprise
(Metabase)
Affected versions
<x.44.5,<x.43.7,<x.42.6,<x.41.9
Patched versions
0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9
Impact
SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP.
Patches
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase now blocks password reset for all users who use SSO for their Metabase login.