CVE-2022-39360

CVSS V2 None CVSS V3 Medium 6.5
Description
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
Overview
  • CVE ID
  • CVE-2022-39360
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-10-26T19:15:13
  • Last Modified Date
  • 2022-10-28T16:29:32
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 0.41.0 0.41.9
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 0.42.0 0.42.6
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 0.43.0 0.43.7
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 0.44.0 0.44.5
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 1.41.0 1.41.9
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 1.42.0 1.42.6
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 1.43.0 1.43.7
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:* 1 OR 1.44.0 1.44.5
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 6.5
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730
https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39360
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39360
History
Created Old Value New Value Data Type Notes
2022-10-26 20:00:12 Added to TrackCVE
2022-12-07 12:41:41 2022-10-26T19:15Z 2022-10-26T19:15:13 CVE Published Date updated
2022-12-07 12:41:41 2022-10-28T16:29:32 CVE Modified Date updated
2022-12-07 12:41:41 Analyzed Vulnerability Status updated