Headline
CVE-2022-39360: Refactor password reset login for SSO users (#25819) (#25826) · metabase/metabase@edadf73
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.
@@ -1,24 +1,31 @@
{{> metabase/email/_header }}
<div>
{{#sso}}
{{#google}}
<p>You’re using Google to log in to {{applicationName}}, so you don’t have a password. You can log in to {{applicationName}} by clicking "Sign in with Google"</p>
<a href="{{siteUrl}}">Go to {{applicationName}}</a>
{{/sso}}
{{^sso}}
{{#isActive}}
<div style="text-align: center">
<p>Click the button below to reset the password for your {{applicationName}} account at {{siteUrl}}.</p>
<a style="display: inline-block; box-sizing: border-box; font-size: 18px; padding: 8px 22px; cursor: pointer; text-decoration: none; border-radius: 4px; background-color: #4990E2; border-color: #4990E2; color: #fff;" href="{{passwordResetUrl}}">Reset password</a>
<p style="padding-top: 2em; font-size: small;">Didn’t request this password reset? It’s safe to ignore it.</p>
</div>
{{/isActive}}
{{^isActive}}
<p>Someone requested a password reset for your {{applicationName}} account at {{siteUrl}}, but your account
has been deactivated. Contact an administrator for further assistance.</p>
{{#adminEmailSet}}
<a href="mailto:{{adminEmail}}">Contact your administrator</a>
{{/adminEmailSet}}
{{/isActive}}
{{/sso}}
{{/google}}
{{^google}}
{{#nonGoogleSSO}}
<p>We can’t reset your password becase you’re using single sign-on to log in to {{applicationName}}. Use the
“Sign in with SSO” button on the log in page. To change your password, you’ll need to contact an administrator.</p>
<a href="{{siteUrl}}">Go to {{applicationName}}</a>
{{/nonGoogleSSO}}
{{^nonGoogleSSO}}
{{#isActive}}
<div style="text-align: center">
<p>Click the button below to reset the password for your {{applicationName}} account at {{siteUrl}}.</p>
<a style="display: inline-block; box-sizing: border-box; font-size: 18px; padding: 8px 22px; cursor: pointer; text-decoration: none; border-radius: 4px; background-color: #4990E2; border-color: #4990E2; color: #fff;" href="{{passwordResetUrl}}">Reset password</a>
<p style="padding-top: 2em; font-size: small;">Didn’t request this password reset? It’s safe to ignore it.</p>
</div>
{{/isActive}}
{{^isActive}}
<p>Someone requested a password reset for your {{applicationName}} account at {{siteUrl}}, but your account
has been deactivated. Contact an administrator for further assistance.</p>
{{#adminEmailSet}}
<a href="mailto:{{adminEmail}}">Contact your administrator</a>
{{/adminEmailSet}}
{{/isActive}}
{{/nonGoogleSSO}}
{{/google}}
</div>
{{> metabase/email/_footer }}