Metabase SSO users able to circumvent IdP login by doing password reset

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

认证中关键步骤缺失

Metabase 授权问题漏洞

Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase 存在安全漏洞，该漏洞源于单点登录 (SSO) 用户能够在 Metabase 上重置密码，这可以允许用户在不通过 SSO IdP 的情况下进行访问。

N/A

N/A