CVE-2022-39360 - Metabase SSO Users Vulnerable to Password Resets Prior to Multiple Version Updates

Metabase is a popular data visualization and reporting software that helps users explore and make sense of their data. It emphasizes ease of use, allowing non-technical users to create valuable data insights. However, prior to updates in various versions, Metabase was affected by a security vulnerability related to Single Sign-On (SSO). This article discusses the details of this vulnerability, CVE-2022-39360, and how to mitigate the issue.

Vulnerability Details

Before the release of Metabase versions .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9, there was a flaw in the password reset functionality for SSO users. The vulnerability allowed users who use SSO for their Metabase login to perform password resets, potentially bypassing the SSO Identity Provider (IdP) and gaining unauthorized access to the application.

This issue has been assigned the CVE identifier CVE-2022-39360 and is known to affect Metabase installations running versions older than those mentioned above.

The following is a code snippet demonstrating a possible exploit of this vulnerability

POST /api/user/reset_password
{
  "email": "sso-user@example.com"
}

With a simple HTTP POST request to the /api/user/reset_password endpoint, an attacker could trigger a password reset for any SSO-enabled user account within Metabase.

Mitigation and Patching

To address the vulnerability, Metabase has released updates for the affected versions:

1.41.9

In these updated versions, password reset functionality has been disabled for all users who use SSO for their Metabase login. As a result, it's crucial to update your Metabase installation to one of the patched versions mentioned above to prevent any potential security breaches.

The release notes for these updates can be found at the official Metabase blog

- Release notes .44.5
- Release notes 1.44.5
- Release notes .43.7
- Release notes 1.43.7
- Release notes .42.6
- Release notes 1.42.6
- Release notes .41.9
- Release notes 1.41.9

To ensure the security of your Metabase installation, it's essential to review your current version and apply the necessary updates as soon as possible. Staying up-to-date with security patches is critical for maintaining a secure and reliable data visualization environment.

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 16:29:00 UTC