SSO users able to circumvent IdP login by doing password reset

High

ranquild published GHSA-gw4g-ww2m-v7vc

Oct 24, 2022

Package

Metabase OSS and Enterprise (Metabase)

Affected versions

<x.44.5,<x.43.7,<x.42.6,<x.41.9

Patched versions

0.44.5,1.44.5,0.43.7,1.43.7,0.42.6,1.42.6,0.41.9,1.41.9

Description

Impact

SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP.

Patches

The following patches (or greater versions) are available:

0.44.5 and 1.44.5,
0.43.7 and 1.43.7,
0.42.6 and 1.42.6,
0.41.9 and 1.41.9

All releases are available on https://github.com/metabase/metabase/releases.

Mitigation

Metabase now blocks password reset for all users who use SSO for their Metabase login.