PT-2022-24928 · Metabase · Metabase
Ranquild
·
Published
2022-10-26
·
Updated
2022-10-28
·
CVE-2022-39360
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Metabase versions prior to 0.41.9 and 1.41.9
Metabase versions prior to 0.42.6 and 1.42.6
Metabase versions prior to 0.43.7 and 1.43.7
Metabase versions prior to 0.44.5 and 1.44.5
Description
The issue allows single sign on (SSO) users to perform password resets on Metabase, potentially granting access without going through the SSO IdP.
Recommendations
For versions prior to 0.41.9 and 1.41.9, update to version 0.41.9 or 1.41.9 to patch the issue.
For versions prior to 0.42.6 and 1.42.6, update to version 0.42.6 or 1.42.6 to patch the issue.
For versions prior to 0.43.7 and 1.43.7, update to version 0.43.7 or 1.43.7 to patch the issue.
For versions prior to 0.44.5 and 1.44.5, update to version 0.44.5 or 1.44.5 to patch the issue.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Metabase