Vulnerability Description
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | >= 0.41.0, < 0.41.9 |
Related Weaknesses (CWE)
References
- https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c9PatchThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vcThird Party Advisory
- https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c9PatchThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vcThird Party Advisory
FAQ
What is CVE-2022-39360?
CVE-2022-39360 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, wh...
How severe is CVE-2022-39360?
CVE-2022-39360 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39360?
Check the references section above for vendor advisories and patch information. Affected products include: Metabase Metabase.