Description
An access control error vulnerability exists in Apache Superset, a data visualization and data exploration platform from the Apache Foundation, U.S. The vulnerability stems from improper access restrictions. A remote attacker could bypass implemented security restrictions and access sensitive information, such as dataset names, columns, and metrics.
Affected Software
Related
{"id": "CNVD-2022-53253", "vendorId": null, "type": "cnvd", "bulletinFamily": "cnvd", "title": "Apache Superset Access Control Error Vulnerability", "description": "An access control error vulnerability exists in Apache Superset, a data visualization and data exploration platform from the Apache Foundation, U.S. The vulnerability stems from improper access restrictions. A remote attacker could bypass implemented security restrictions and access sensitive information, such as dataset names, columns, and metrics.", "published": "2022-07-08T00:00:00", "modified": "2022-07-23T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-53253", "reporter": "China National Vulnerability Database", "references": [], "cvelist": ["CVE-2021-37839"], "immutableFields": [], "lastseen": "2022-08-17T10:05:48", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-37839"]}, {"type": "github", "idList": ["GHSA-748R-5R8Q-273M"]}, {"type": "osv", "idList": ["OSV:GHSA-748R-5R8Q-273M"]}, {"type": "veracode", "idList": ["VERACODE:36290"]}]}, "score": {"value": 4.8, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "apache superset", "version": 1}]}, "epss": [{"cve": "CVE-2021-37839", "epss": "0.000640000", "percentile": "0.260640000", "modified": "2023-03-19"}], "vulnersScore": 4.8}, "_state": {"dependencies": 1660730988, "score": 1660731805, "affected_software_major_version": 1671609951, "epss": 1679303669}, "_internal": {"score_hash": "1bb9e884d71986f63da81d2495ea53ba"}, "vendorCVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "affectedSoftware": [{"version": "1.5.1", "operator": "le", "name": "apache superset"}]}
{"github": [{"lastseen": "2023-01-27T05:06:34", "description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-07T00:00:26", "type": "github", "title": "Apache Superset before 1.5.1 allows authenticated users to access metadata for datasets they have no permission on", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37839"], "modified": "2023-01-27T05:05:25", "id": "GHSA-748R-5R8Q-273M", "href": "https://github.com/advisories/GHSA-748r-5r8q-273m", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-02-09T14:27:43", "description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-06T13:15:00", "type": "cve", "title": "CVE-2021-37839", "cwe": ["CWE-273"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37839"], "modified": "2022-07-14T01:02:00", "cpe": ["cpe:/a:apache:superset:1.5.1"], "id": "CVE-2021-37839", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37839", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:apache:superset:1.5.1:*:*:*:*:*:*:*"]}], "veracode": [{"lastseen": "2022-07-14T08:02:12", "description": "apache_superset is vulnerable to information disclosure. The vulnerability exists in `apply` function in `base.py` because the permission to access metadata is not properly handled which allows an attacker to gain access to sensitive information such as dataset name, columns and metrics. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-07T16:00:12", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37839"], "modified": "2022-07-08T04:32:18", "id": "VERACODE:36290", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-36290/summary", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2023-03-07T05:48:46", "description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-07T00:00:26", "type": "osv", "title": "Apache Superset before 1.5.1 allows authenticated users to access metadata for datasets they have no permission on", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37839"], "modified": "2023-03-07T05:48:45", "id": "OSV:GHSA-748R-5R8Q-273M", "href": "https://osv.dev/vulnerability/GHSA-748r-5r8q-273m", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}
Apache Superset Access Control Error Vulnerability
