Lucene search

GitHub Advisory DatabaseGHSA-8F5J-MGX9-5HM5

HistoryJan 16, 2023 - 12:30 p.m.

Apache Superset has Improper Access Control

2023-01-1612:30:17

CWE-284

CWE-668

GitHub Advisory Database

github.com

apache

superset

improper access control

dashboard_cache

rest api

version 1.5.2

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.3%

JSON

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Vulners

Node

apachesupersetMatch2.0.0

apachesupersetRange≤1.5.2

VendorProductVersionCPE
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:*:*:*:*:*:*:*
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:::::::*
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

github.com/advisories/GHSA-8f5j-mgx9-5hm5

lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9

nvd.nist.gov/vuln/detail/CVE-2022-45438

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.3%

JSON

Related for GHSA-8F5J-MGX9-5HM5