Lucene search

GitHub Advisory DatabaseGHSA-FPMR-QMGH-42X2

HistoryJan 16, 2023 - 12:30 p.m.

Apache Superset vulnerable to Injection

2023-01-1612:30:17

CWE-74

GitHub Advisory Database

github.com

apache superset

injection

css template

vulnerability

html

escaped

1.5.2

2.0.0

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

34.8%

JSON

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Vulners

Node

apachesupersetMatch2.0.0

apachesupersetRange≤1.5.2

VendorProductVersionCPE
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:*:*:*:*:*:*:*
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:::::::*
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

github.com/advisories/GHSA-fpmr-qmgh-42x2

lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l

nvd.nist.gov/vuln/detail/CVE-2022-43720

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

34.8%

JSON

Related for GHSA-FPMR-QMGH-42X2