VYPR
Unrated severityNVD Advisory· Published Oct 26, 2022· Updated Apr 23, 2025

Metabase SSO users able to circumvent IdP login by doing password reset

CVE-2022-39360

Description

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Metabase/Metabasellm-fuzzy2 versions
    <0.44.5, <1.44.5, <0.43.7, <1.43.7, <0.42.6, <1.42.6, <0.41.9, <1.41.9+ 1 more
    • (no CPE)range: <0.44.5, <1.44.5, <0.43.7, <1.43.7, <0.42.6, <1.42.6, <0.41.9, <1.41.9
    • (no CPE)range: < 0.41.9

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.