CVE-2022-39360

Source
https://cve.org/CVERecord?id=CVE-2022-39360
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39360.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39360
Aliases
  • GHSA-gw4g-ww2m-v7vc
Published
2022-10-26T00:00:00Z
Modified
2026-07-15T01:49:00.343599756Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Metabase SSO users able to circumvent IdP login by doing password reset
Details

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39360.json",
    "cwe_ids": [
        "CWE-287",
        "CWE-304"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type
GIT
Repo
https://github.com/metabase/metabase
Events
Database specific
{
    "cpe": "cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.41.0"
        },
        {
            "fixed": "0.41.9"
        },
        {
            "introduced": "1.41.0"
        },
        {
            "fixed": "1.41.9"
        },
        {
            "introduced": "0.42.0"
        },
        {
            "fixed": "0.42.6"
        },
        {
            "introduced": "1.42.0"
        },
        {
            "fixed": "1.42.6"
        },
        {
            "introduced": "0.43.0"
        },
        {
            "fixed": "0.43.7"
        },
        {
            "introduced": "1.43.0"
        },
        {
            "fixed": "1.43.7"
        },
        {
            "introduced": "0.44.0"
        },
        {
            "fixed": "0.44.5"
        },
        {
            "introduced": "1.44.0"
        },
        {
            "fixed": "1.44.5"
        }
    ]
}

Affected versions

v0.*
v0.41.0
v0.41.1
v0.41.2
v0.41.3
v0.41.3.1
v0.41.5
v0.41.6
v0.41.7
v0.41.8
v0.42.0
v0.42.1
v0.42.2
v0.42.3
v0.42.4
v0.42.4.1
v0.42.5
v0.43.0
v0.43.1
v0.43.2
v0.43.3
v0.43.4
v0.43.4.1
v0.43.4.2
v0.43.5
v0.43.6
v0.44.0
v0.44.1
v0.44.2
v0.44.3
v0.44.4
v1.*
v1.41.0
v1.41.1
v1.41.2
v1.41.3
v1.41.3.1
v1.41.5
v1.41.6
v1.41.7
v1.41.8
v1.42.0
v1.42.1
v1.42.2
v1.42.3
v1.42.4
v1.42.4.1
v1.42.5
v1.43.0
v1.43.1
v1.43.2
v1.43.3
v1.43.4
v1.43.4.1
v1.43.4.2
v1.43.5
v1.43.6
v1.44.0
v1.44.1
v1.44.2
v1.44.3
v1.44.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39360.json"