CVE-2022-39360 is a vulnerability in Metabase, an open-source data visualization and business intelligence platform widely used for creating dashboards and analyzing data. The flaw exists in versions prior to 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. The issue arises from a missing critical step in the authentication process specifically affecting users who authenticate via Single Sign-On (SSO). In these affected versions, SSO users were able to initiate password resets directly within Metabase, bypassing the SSO Identity Provider (IdP) authentication flow. This bypass allows an attacker or unauthorized user who gains access to a Metabase account with SSO enabled to reset the password without validating through the external SSO IdP, effectively circumventing the intended authentication mechanism. This improper authentication (CWE-287) and missing critical step in authentication (CWE-304) could lead to unauthorized access to sensitive business intelligence data. The vulnerability does not require user interaction beyond the password reset attempt and can be exploited remotely if the attacker has access to a valid SSO user account or can impersonate one. The issue has been addressed in the specified patched versions by disabling password reset functionality for all SSO users, ensuring that password resets must be handled exclusively through the SSO IdP, restoring the intended authentication flow and preventing unauthorized password resets within Metabase itself. There are no known exploits in the wild as of the published date, and no CVSS score has been assigned to this vulnerability.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Metabase for critical data visualization and decision-making processes. Unauthorized password resets could allow attackers to gain access to sensitive corporate data, including financial reports, customer analytics, and operational metrics. This could lead to data confidentiality breaches, potential data manipulation, and loss of trust in business intelligence outputs. Organizations using SSO for authentication rely on centralized identity management to enforce strong security policies; this vulnerability undermines that trust by enabling local password resets that bypass SSO controls. The breach of Metabase accounts could also serve as a foothold for lateral movement within the network, potentially exposing other connected systems. Given the medium severity rating and the lack of known active exploitation, the threat is moderate but should not be underestimated, especially in sectors with high data sensitivity such as finance, healthcare, and government agencies within Europe.

European organizations should immediately verify their Metabase versions and upgrade to the patched versions listed (0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, 1.41.9 or later). Beyond upgrading, organizations should disable password reset functionality within Metabase for all SSO users if an upgrade is temporarily not feasible. Implement strict monitoring and alerting on password reset attempts in Metabase logs to detect any anomalous activity. Enforce multi-factor authentication (MFA) at the SSO IdP level to reduce the risk of compromised credentials. Conduct audits of user accounts to identify any unauthorized password changes or suspicious access patterns. Additionally, network segmentation should be applied to limit Metabase access to trusted internal networks or VPNs, reducing exposure to external attackers. Finally, organizations should review and tighten their SSO configurations and policies to ensure that password management is exclusively handled by the IdP, preventing any local overrides.