CVE Vulnerability

CVE-2022-39360

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730 Patch Third Party Advisory
https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
Information

Published : 2022-10-26 07:15

Updated : 2022-10-28 04:29

NVD link : CVE-2022-39360

Mitre link : CVE-2022-39360

Products Affected
No products.
CWE
CWE-287