Lucene search

[email protected]NVD:CVE-2022-39360

HistoryOct 26, 2022 - 7:15 p.m.

CVE-2022-39360

2022-10-2619:15:13

CWE-304

CWE-287

[email protected]

web.nvd.nist.gov

metabase

data visualization

sso

password reset

cve-2022-39360

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

Affected configurations

Nvd

Node

metabasemetabaseRange0.41.0–0.41.9

metabasemetabaseRange0.42.0–0.42.6

metabasemetabaseRange0.43.0–0.43.7

metabasemetabaseRange0.44.0–0.44.5

metabasemetabaseRange1.41.0–1.41.9

metabasemetabaseRange1.42.0–1.42.6

metabasemetabaseRange1.43.0–1.43.7

metabasemetabaseRange1.44.0–1.44.5

VendorProductVersionCPE
metabasemetabase*cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
metabase	metabase	*	cpe:2.3:a:metabase:metabase::::::::

References

github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730

github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for NVD:CVE-2022-39360

prion1 cvelist1 osv1 cve1