Superset Security Vulnerabilities and Issues — Page 2 of Superset CVE List

Lucene search

ApacheSuperset

59 matches found

CVE•added 2023/11/27 11:15 a.m.•39 views

CVE-2023-43701

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superse...

5.4CVSS4.9AI score0.00129EPSS

CVE•added 2023/12/19 10:15 a.m.•39 views

CVE-2023-49736

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the is...

8.8CVSS7.6AI score0.00456EPSS

CVE•added 2024/02/14 12:15 p.m.•39 views

CVE-2024-23952

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset ve...

6.5CVSS6.1AI score0.01246EPSS

CVE•added 2023/09/06 1:15 p.m.•38 views

CVE-2023-27526

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.

4.3CVSS4.4AI score0.00093EPSS

CVE•added 2023/09/06 2:15 p.m.•38 views

CVE-2023-32672

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.

4.3CVSS4.5AI score0.00128EPSS

CVE•added 2023/09/06 1:15 p.m.•36 views

CVE-2023-27523

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

5CVSS4.6AI score0.00053EPSS

CVE•added 2023/12/19 10:15 a.m.•35 views

CVE-2023-46104

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

6.5CVSS6.1AI score0.0036EPSS

CVE•added 2023/11/28 5:15 p.m.•34 views

CVE-2023-42502

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

5.4CVSS4.9AI score0.00057EPSS

CVE•added 2023/11/27 11:15 a.m.•31 views

CVE-2023-42501

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.This issue affects Apache Superset: before 2.1.2.Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read ...

4.3CVSS4.4AI score0.00072EPSS

Total number of security vulnerabilities59