CVE-2022-45438

2023-01-1611:15:10

CWE-668

[email protected]

web.nvd.nist.gov

apache superset

unauthenticated access

vulnerability

dashboard_cache

rest api

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

49.3%

JSON

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Nvd

Node

apachesupersetRange≤1.5.2

apachesupersetMatch2.0.0-

apachesupersetMatch2.0.0rc1

apachesupersetMatch2.0.0rc2

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:-::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:rc1::::::
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:rc2::::::