CVE-2022-39360: 
NixOS vulnerability analysis and mitigation

CVE-2022-39360 affects Metabase, a data visualization software, prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. The vulnerability allows single sign-on (SSO) users to perform password resets on Metabase, which could enable unauthorized access by bypassing the SSO Identity Provider (IdP) authentication (Metabase Advisory).

The vulnerability exists in the password reset functionality of Metabase where SSO users were incorrectly allowed to perform password resets. This could enable users to bypass the intended SSO authentication flow and gain direct access to the system without going through the IdP. The issue has been assigned a CVSS v3 Base Score of 6.5 (Medium), indicating moderate severity with network attack vector, low privilege requirements, and no user interaction needed (AttackerKB).

The vulnerability could allow SSO users to circumvent the intended authentication mechanism by resetting their password directly in Metabase, effectively bypassing the security controls provided by the Identity Provider. This creates a potential security gap in organizations relying on SSO for centralized access control and user management (Metabase Advisory).

The vulnerability has been patched in Metabase versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. The fix involves blocking password reset functionality for all users who use SSO for their Metabase login (Metabase Commit).