CVE-2022-45438

2023-01-1611:15:10

CWE-668

apache

web.nvd.nist.gov

cve-2022-45438

apache superset

unauthenticated access

dashboard configuration

rest api

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

49.3%

JSON

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Nvd

Vulners

Node

apachesupersetRange≤1.5.2

apachesupersetMatch2.0.0-

apachesupersetMatch2.0.0rc1

apachesupersetMatch2.0.0rc2

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:-::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:rc1::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:rc2::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Superset",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.0.1",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "1.5.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]