CVE-2024-27315

2024-02-2810:15:09

CWE-200

apache

web.nvd.nist.gov

cve-2024

apache superset

sql error

alert creation

sensitive data

security update

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.9

Confidence

High

EPSS

Percentile

9.0%

JSON

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected configurations

Vulners

Node

apache_software_foundationapache_supersetRange≤3.0.4

apache_software_foundationapache_supersetRange≤3.1.1

VendorProductVersionCPE
apache_software_foundationapache_superset*cpe:2.3:a:apache_software_foundation:apache_superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache_software_foundation	apache_superset	*	cpe:2.3:a:apache_software_foundation:apache_superset::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Superset",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.0.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.1.1",
        "status": "affected",
        "version": "3.1.0",
        "versionType": "semver"
      }
    ]
  }
]