Lucene search

[email protected]NVD:CVE-2023-43701

HistoryNov 27, 2023 - 11:15 a.m.

CVE-2023-43701

2023-11-2711:15:07

CWE-79

[email protected]

web.nvd.nist.gov

apache superset

payload validation

rest api

malicious actor

deprecated api

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.003

Percentile

66.1%

JSON

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart’s metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Affected configurations

Nvd

Node

apachesupersetRange<2.1.2

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892

www.openwall.com/lists/oss-security/2023/11/27/4