Lucene search
K
ApacheSuperset

68 matches found

CVE
CVE
added 2024/12/09 1:35 p.m.2913 views

CVE-2024-53947

CVE-2024-53947 : Apache Superset is affected by an SQL Injection vulnerability due to improper neutralization of certain engine-specific functions, allowing bypass of SQL authorization. The issue affects versions

9.8CVSS7AI score0.0079EPSS
CVE
CVE
added 2023/09/06 12:53 p.m.2515 views

CVE-2023-36388

CVE-2023-36388 concerns Apache Superset. The issue is an improper REST API permission configuration that allows an authenticated, low-privilege user to initiate network connections, enabling possible SSRF. The vulnerability affects Superset up to version 2.1.0 (and older per disclosures), with th...

5.4CVSS5.2AI score0.00806EPSS
CVE
CVE
added 2023/09/06 12:19 p.m.2511 views

CVE-2023-36387

CVE-2023-36387 affects Apache Superset up to version 2.1.0. The issue is an improper default REST API permission that allows an authenticated Gamma user to test a database connection. The available connected documents corroborate this risk across multiple sources (e.g., Red Hat, OSV, CNVD-like re...

5.4CVSS5.3AI score0.00839EPSS
CVE
CVE
added 2023/09/06 12:58 p.m.2502 views

CVE-2023-39264

CVE-2023-39264 affects Apache Superset up to version 2.1.0. The root cause is that error handling defaulted to emitting stack traces, which exposes internal traces via REST API endpoints. The vulnerability enables potential disclosure of internal information and is categorized with network exposu...

4.3CVSS4.5AI score0.00811EPSS
CVE
CVE
added 2024/12/09 1:35 p.m.1095 views

CVE-2024-53949

CVE-2024-53949 describes an improper authorization vulnerability in Apache Superset that occurs when the FAB_ADD_SECURITY_API is enabled (default is disabled). The issue allows lower-privilege users to use the security API to perform actions that should be restricted. Affected versions are 2.0.0 ...

7.6CVSS6.5AI score0.00641EPSS
CVE
CVE
added 2023/04/24 3:28 p.m.435 views

CVE-2023-27524

CVE-2023-27524 affects Apache Superset up to 2.0.1 where an insecure default SECRET_KEY allows authentication bypass and unauthorized access. Multiple connected sources show public exploits and PoCs (e.g., GitHub exploits for session cookie forging and potential RCE/auth bypass) illustrating prac...

9.8CVSS8.3AI score0.97405EPSS
In wildWeb
CVE
CVE
added 2023/04/17 4:29 p.m.259 views

CVE-2023-25504

Apache Superset (up to and including version 2.0.1) is affected by a Server-Side Request Forgery (SSRF) vulnerability that can be exploited by an authenticated user with specific permissions through the import dataset feature to query internal resources on the server where Superset runs. The cite...

6.5CVSS5.5AI score0.00949EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.256 views

CVE-2018-8021

CVE-2018-8021 concerns Apache Superset pre-0.23, where an unsafe pickle deserialization path can lead to remote code execution. The root cause is the use of an unsafe load method from pickle to deserialize data, enabling an attacker with network access to potentially execute arbitrary code. Multi...

9.8CVSS9.7AI score0.53655EPSS
Web
CVE
CVE
added 2024/02/28 11:26 a.m.146 views

CVE-2024-24772

CVE-2024-24772 affects Apache Superset prior to 3.0.4 and 3.1.0–3.1.0.1, where a guest user could exploit the Chart Data REST API to send arbitrary SQL statements; on error, information could be leaked from the analytics database. Root cause: improper handling/neutralization of SQL in the chart d...

4.3CVSS4.8AI score0.00945EPSS
CVE
CVE
added 2020/01/28 12:38 a.m.140 views

CVE-2020-1932

CVE-2020-1932: Information disclosure in Apache Superset versions 0.34.0–0.35.1. Authenticated users can access an unused, undocumented API endpoint to retrieve other users’ data, including hashed passwords. Root cause is an exposed API path that allows leaking user records to logged-in users; ex...

6.5CVSS6.1AI score0.01351EPSS
CVE
CVE
added 2024/02/28 11:28 a.m.134 views

CVE-2024-24779

Summary: CVE-2024-24779 affects Apache Superset. If users have custom roles that include the ability to write on datasets but lack full data access permissions, they can create virtual datasets to data they should not access, potentially exposing sensitive information. What’s affected: Apache Sup...

6.5CVSS5.7AI score0.00727EPSS
CVE
CVE
added 2024/02/28 11:28 a.m.120 views

CVE-2024-26016

CVE-2024-26016 affects Apache Superset. A low-privilege authenticated user can import a dashboard or chart they shouldn’t access and modify its metadata, effectively gaining ownership of the object. The vulnerability hinges on improper authorization validation during the import process; access to...

5.4CVSS4.9AI score0.00866EPSS
CVE
CVE
added 2022/04/13 7:5 p.m.116 views

CVE-2022-27479

Apache Superset is affected by CVE-2022-27479: before version 1.4.2, the chart data API is vulnerable to SQL injection. The issue is caused by unsafely constructed chart data requests, enabling potential leakage or manipulation of data. The impact is described in public advisories as high/critica...

9.8CVSS9.8AI score0.02788EPSS
CVE
CVE
added 2024/05/07 1:33 p.m.114 views

CVE-2024-28148

Summary: Multiple sources describe an authorization issue in Apache Superset prior to 3.1.2. Affected product/component: Apache Superset, specifically the REST API used to explore datasources. Root cause (as stated): Incorrect datasource authorization on the explore REST API allowing an authentic...

4.3CVSS6.5AI score0.00699EPSS
CVE
CVE
added 2022/02/01 1:16 p.m.110 views

CVE-2021-44451

CVE-2021-44451 affects Apache Superset up to 1.3.2. The vulnerability allows authenticated users to leak database connection passwords via registered database connections. Root cause: credentials can be exposed through the configuration/connection handling for database connections. Impact: confid...

6.5CVSS6.2AI score0.07863EPSS
CVE
CVE
added 2024/02/28 11:24 a.m.110 views

CVE-2024-24773

The CVE-2024-24773 entry concerns Apache Superset. Affected versions are before 3.0.4 and 3.1.0 before 3.1.1, where improper parsing of nested SQL statements in SQLLab could allow authenticated users to bypass data authorization. The issue’s impact is elevated access to data within the authorizat...

6.5CVSS5.9AI score0.00773EPSS
CVE
CVE
added 2023/09/06 1:6 p.m.108 views

CVE-2023-37941

CVE-2023-37941 affects Apache Superset where an attacker with write access to the metadata database can persist a crafted Python object to achieve remote code execution on the web backend. The vulnerability hinges on the metadata DB, an internal component, being accessible with significant privil...

6.6CVSS7.1AI score0.29226EPSS
In wild
CVE
CVE
added 2024/02/28 10:6 a.m.108 views

CVE-2024-27315

Summary: CVE-2024-27315 affects Apache Superset and is caused by improper error handling when an authenticated user with privileges to create Alerts triggers a database error via a crafted SQL statement, potentially exposing data in error logs. Affected versions: before 3.0.4 and 3.1.0 before 3.1...

4.3CVSS4.8AI score0.00969EPSS
CVE
CVE
added 2024/12/09 1:35 p.m.103 views

CVE-2024-53948

The CVE-2024-53948 entry concerns Apache Superset prior to 4.1.0, where error message generation can expose analytics metadata. This constitutes an information disclosure vector as described in multiple sources, with a fixed version 4.1.0 recommended by the advisories. Practical impact is informa...

5.3CVSS6.5AI score0.00771EPSS
CVE
CVE
added 2019/12/16 9:53 p.m.101 views

CVE-2019-12413

CVE-2019-12413 affects Apache Superset prior to 0.31. A crafted complex query allows a user to query database metadata they have no access to, revealing information via an information-disclosure vulnerability. The available sources consistently describe this as a metadata/information-disclosure i...

5.3CVSS5AI score0.02779EPSS
CVE
CVE
added 2025/05/30 8:26 a.m.100 views

CVE-2025-48912

CVE-2025-48912 affects Apache Superset prior to 4.1.2. An authenticated attacker can bypass row-level security by injecting SQL into the sqlExpression fields, enabling sub-queries that bypass defenses and grant unauthorized data access. The issue is triggered by specially crafted requests and is ...

7.1CVSS7.1AI score0.0062EPSS
CVE
CVE
added 2021/04/27 9:27 a.m.99 views

CVE-2021-28125

CVE-2021-28125 affects Apache Superset up to and including 1.0.1. The issue is an open redirect in the URL shortener functionality caused by not validating user input, enabling a malicious user to craft a short URL for a dashboard that could deceive users into clicking it. Connected advisories co...

6.1CVSS6.1AI score0.63768EPSS
CVE
CVE
added 2020/09/30 8:48 p.m.98 views

CVE-2020-13952

Apache Superset CVE-2020-13952 affects all versions

8.1CVSS7.7AI score0.02001EPSS
CVE
CVE
added 2019/12/16 9:52 p.m.93 views

CVE-2019-12414

CVE-2019-12414 affects Apache Incubator Superset prior to 0.32. The issue allows a user to view database names to which they have no access, exposed in a SQLLab dropdown. The connected sources confirm the affected product/version and the information-disclosure impact, but do not provide root-caus...

5.3CVSS5AI score0.02707EPSS
CVE
CVE
added 2022/07/06 12:35 p.m.92 views

CVE-2021-37839

CVE-2021-37839 affects Apache Superset up to version 1.5.1. The issue is an access control error that allows authenticated users to read metadata for datasets they have no permission on. Affected metadata includes dataset name, columns, and metrics. The root cause is described in connected source...

4.3CVSS4.2AI score0.01134EPSS
CVE
CVE
added 2021/03/05 11:35 a.m.91 views

CVE-2021-27907

CVE-2021-27907 affects Apache Superset up to version 0.38.0. A vulnerability exists where a Markdown component on a Dashboard page can be abused to inject JavaScript that is executed in the context of a user’s browser (Stored XSS). The underlying issue is the ability to create a div containing an...

5.4CVSS5.3AI score0.86393EPSS
CVE
CVE
added 2024/01/23 3:6 p.m.89 views

CVE-2023-49657

Apache Superset prior to 3.0.3 is affected by a stored XSS vulnerability: an authenticated user with create/update permissions on charts or dashboards can store a script or HTML snippet that executes in the context of a page. Impact details in the connected sources align on stored XSS with potent...

9.6CVSS4.9AI score0.0083EPSS
CVE
CVE
added 2023/01/16 10:14 a.m.88 views

CVE-2022-41703

The CVE-2022-41703 issue is in Apache Superset’s SQL Alchemy connector. An authenticated user with read access to a database can add subqueries in the WHERE and HAVING clauses that reference tables the user should not access, even when the ALLOW_ADHOC_SUBQUERY feature flag is disabled. Affected v...

5.4CVSS5.4AI score0.01194EPSS
CVE
CVE
added 2024/07/16 9:20 a.m.87 views

CVE-2024-39887

CVE-2024-39887 describes an SQL Injection in Apache Superset due to improper neutralization of engine-specific SQL functions. The vulnerability affects “Apache Superset” and allows bypassing SQL authorization via certain PostgreSQL functions, mitigated by a config key DISALLOWED_SQL_FUNCTIONS. Th...

9.8CVSS7.3AI score0.04433EPSS
CVE
CVE
added 2021/10/18 2:30 p.m.86 views

CVE-2021-41971

Apache Superset versions up to 1.3.0 are affected by an SQL injection vulnerability when ENABLE_TEMPLATE_PROCESSING is enabled. The issue arises in template processing logic that processes a malicious HTTP request with a crafted URL, leading to potential SQL injection. Several sources (NVD, OSV, ...

8.8CVSS8.9AI score0.01709EPSS
CVE
CVE
added 2021/10/18 2:30 p.m.85 views

CVE-2021-32609

CVE-2021-32609: Apache Superset up to 1.1 is affected by an XSS vulnerability on the Explore page due to unsanitized chart titles. An attacker with Explore access can save a chart with a malicious title, injecting HTML (including scripts) into the page. Connected sources (BIT-SUPERSET-2021-32609,...

5.4CVSS5.3AI score0.01602EPSS
CVE
CVE
added 2021/11/17 3:10 p.m.85 views

CVE-2021-42250

CVE-2021-42250 affects Apache Superset. The issue is improper output neutralization in a specific HTTP endpoint, allowing an authenticated user to forge log entries or inject malicious content into logs. Connected sources (NVD, OSV, GHSA, CNVD, OSV mirrors) confirm the vulnerability in Apache Sup...

6.5CVSS6.3AI score0.01761EPSS
CVE
CVE
added 2024/06/20 8:51 a.m.85 views

CVE-2024-34693

CVE-2024-34693 is an Apache Superset vulnerability described across multiple sources as an Improper Input Validation issue. An authenticated attacker can create a MariaDB connection with local_infile enabled, and if both the MariaDB server and the local MySQL client on the web server permit local...

6.8CVSS6.1AI score0.01571EPSS
CVE
CVE
added 2024/12/12 2:36 p.m.85 views

CVE-2024-55633

CVE-2024-55633 is an Improper Authorization vulnerability in Apache Superset. An attacker with SQLLab access to a PostgreSQL analytic database can craft a SQL DML statement that is incorrectly identified as a read-only query, allowing its execution. The issue does not affect non-PostgreSQL analyt...

7.1CVSS7.2AI score0.02562EPSS
CVE
CVE
added 2023/01/16 10:12 a.m.84 views

CVE-2022-45438

CVE-2022-45438 affects Apache Superset where enabling the DASHBOARD_CACHE feature flag (off by default) allows an unauthenticated user to access dashboard configuration metadata via a REST API GET endpoint. Affected versions are Superset 1.5.2 and earlier, and 2.0.0. The underlying issue is an im...

5.3CVSS5.2AI score0.01229EPSS
CVE
CVE
added 2023/04/24 3:29 p.m.81 views

CVE-2023-30776

Technical details (affected product versions, root cause, exploitability, remediation) are not publicly available in the provided connected documents. Monitor for updates.

6.5CVSS5.8AI score0.02067EPSS
CVE
CVE
added 2023/01/16 10:10 a.m.80 views

CVE-2022-43721

CVE-2022-43721 is an Open Redirect vulnerability in Apache Superset. An authenticated user with update datasets permission can alter a dataset’s link to point to an untrusted site, causing users to be redirected when clicking that dataset. Affected: Superset versions ≤ 1.5.2 and 2.0.0, per multip...

5.4CVSS5.2AI score0.00994EPSS
CVE
CVE
added 2020/09/17 12:31 p.m.78 views

CVE-2020-13948

CVE-2020-13948 is tied to Apache Superset versions earlier than 0.37.1. An authenticated user could craft requests via templated text fields to gain arbitrary access to Python’s os package within the web application process. Impact details in the connected records show the user could enumerate an...

8.8CVSS8.6AI score0.03076EPSS
CVE
CVE
added 2023/01/16 10:8 a.m.77 views

CVE-2022-43717

CVE-2022-43717 affects Apache Superset: dashboard rendering does not sufficiently sanitize Markdown content, enabling possible XSS by authenticated users with create dashboard permissions. Documented impact covers Superset versions 1.5.2 and earlier, and 2.0.0 (per CVE sources and related advisor...

5.4CVSS5.1AI score0.0124EPSS
CVE
CVE
added 2023/01/16 10:10 a.m.77 views

CVE-2022-43719

CVE-2022-43719 affects Apache Superset; two legacy REST API endpoints for approval and request access are vulnerable to CSRF, impacting versions 1.5.2 and earlier, and 2.0.0. Root cause indicated by sources is lack of CSRF protection on these endpoints. CVSS v3.1 metrics show high impact (Confide...

8.8CVSS8.6AI score0.00567EPSS
CVE
CVE
added 2023/01/16 10:10 a.m.77 views

CVE-2022-43720

CVE-2022-43720 affects Apache Superset (notified in multiple sources). An authenticated attacker with write permissions on CSS templates can create a record containing specific HTML tags that are not properly escaped by the toast message shown when deleting that CSS template, enabling HTML/Script...

5.4CVSS5.3AI score0.01243EPSS
CVE
CVE
added 2021/11/12 6:55 p.m.76 views

CVE-2021-41972

CVE-2021-41972 affects Apache Superset up to and including 1.3.1, where database connection passwords could be leaked to authenticated users in a non-trivial way. Connected documents corroborate a credentials leakage issue; however, the provided sources do not specify exploit vectors, affected su...

6.5CVSS6.2AI score0.01449EPSS
CVE
CVE
added 2023/01/16 10:10 a.m.76 views

CVE-2022-43718

CVE-2022-43718 affects Apache Superset up to version 1.5.2 and version 2.0.0. The issue is a Cross‑Site Scripting (XSS) vulnerability caused by upload data forms not correctly rendering user input, exploitable by authenticated users with database connection update permissions. The connected docum...

5.4CVSS5.1AI score0.01302EPSS
CVE
CVE
added 2023/04/17 4:28 p.m.73 views

CVE-2023-27525

CVE-2023-27525 affects Apache Superset up to 2.0.1. An authenticated user with the Gamma role could access metadata information using non-trivial methods, enabling information disclosure. Documented impact is limited to metadata exposure; no exploit vectors or fixes are provided in the supplied s...

4.3CVSS4.1AI score0.00773EPSS
CVE
CVE
added 2023/09/06 1:0 p.m.73 views

CVE-2023-39265

CVE-2023-39265 : Multiple connected documents describe a vulnerability in Apache Superset where SQLite database connections can be registered incorrectly when using alternative driver names (e.g., sqlite+pysqlite) or via database imports. This may allow arbitrary file creation on Superset webserv...

6.5CVSS5.7AI score0.83716EPSS
In wild
CVE
CVE
added 2025/05/13 8:21 a.m.71 views

CVE-2025-27696

The CVE-2025-27696 entry concerns Apache Superset up to version 4.1.1, where an Incorrect Authorization vulnerability lets authenticated users with read permissions take ownership of dashboards, charts, or datasets. A fix is available in 4.1.2 and later. The public details consistently describe t...

8.8CVSS8.7AI score0.00972EPSS
CVE
CVE
added 2023/11/28 5:59 p.m.67 views

CVE-2023-42504

CVE-2023-42504 describes a denial-of-service vulnerability in Apache Superset prior to 3.0.0 where an authenticated attacker can initiate multiple concurrent dashboard exports, potentially exhausting resources. Multiple connected sources (OSV, Red Hat, CNVD, GHSA advisories, etc.) corroborate a r...

6.5CVSS5.8AI score0.0114EPSS
CVE
CVE
added 2023/11/27 10:22 a.m.66 views

CVE-2023-40610

CVE-2023-40610 affects Apache Superset prior to version 2.1.2. The issue is an improper authorization check that enables privilege escalation when using the default examples database connection, which can grant access to both the examples schema and Superset metadata DB. A specially crafted CTE S...

8.8CVSS7.6AI score0.01335EPSS
CVE
CVE
added 2023/11/28 4:26 p.m.64 views

CVE-2023-42505

CVE-2023-42505 affects Apache Superset prior to 3.0.0. An authenticated user with read permissions on database connections metadata could access sensitive information such as the connection username. The connected documents confirm the affected product and impact but do not provide exploit detail...

4.3CVSS4.2AI score0.01009EPSS
CVE
CVE
added 2023/12/19 9:52 a.m.64 views

CVE-2023-49734

Apache Superset is affected by an privilege-escalation vulnerability (CVE-2023-49734) where an authenticated Gamma user can create a dashboard, add charts, and automatically become an owner of those charts, gaining write permissions. Affected versions include the prior 2.1.x line (before 2.1.2) a...

7.7CVSS6.8AI score0.00942EPSS
Total number of security vulnerabilities68