Lucene search
K

39 matches found

CVE
CVE
added 2024/12/09 1:35 p.m.2916 views

CVE-2024-53947

CVE-2024-53947 : Apache Superset is affected by an SQL Injection vulnerability due to improper neutralization of certain engine-specific functions, allowing bypass of SQL authorization. The issue affects versions

9.8CVSS7AI score0.00806EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.257 views

CVE-2018-8021

CVE-2018-8021 concerns Apache Superset pre-0.23, where an unsafe pickle deserialization path can lead to remote code execution. The root cause is the use of an unsafe load method from pickle to deserialize data, enabling an attacker with network access to potentially execute arbitrary code. Multi...

9.8CVSS9.7AI score0.53934EPSS
Web
CVE
CVE
added 2024/02/28 11:26 a.m.150 views

CVE-2024-24772

CVE-2024-24772 affects Apache Superset prior to 3.0.4 and 3.1.0–3.1.0.1, where a guest user could exploit the Chart Data REST API to send arbitrary SQL statements; on error, information could be leaked from the analytics database. Root cause: improper handling/neutralization of SQL in the chart d...

4.3CVSS4.8AI score0.00945EPSS
CVE
CVE
added 2024/02/28 11:28 a.m.121 views

CVE-2024-26016

CVE-2024-26016 affects Apache Superset. A low-privilege authenticated user can import a dashboard or chart they shouldn’t access and modify its metadata, effectively gaining ownership of the object. The vulnerability hinges on improper authorization validation during the import process; access to...

5.4CVSS4.9AI score0.00866EPSS
CVE
CVE
added 2022/04/13 7:5 p.m.117 views

CVE-2022-27479

Apache Superset is affected by CVE-2022-27479: before version 1.4.2, the chart data API is vulnerable to SQL injection. The issue is caused by unsafely constructed chart data requests, enabling potential leakage or manipulation of data. The impact is described in public advisories as high/critica...

9.8CVSS9.8AI score0.02788EPSS
CVE
CVE
added 2024/05/07 1:33 p.m.117 views

CVE-2024-28148

Summary: Multiple sources describe an authorization issue in Apache Superset prior to 3.1.2. Affected product/component: Apache Superset, specifically the REST API used to explore datasources. Root cause (as stated): Incorrect datasource authorization on the explore REST API allowing an authentic...

4.3CVSS6.5AI score0.00699EPSS
CVE
CVE
added 2024/02/28 11:24 a.m.110 views

CVE-2024-24773

The CVE-2024-24773 entry concerns Apache Superset. Affected versions are before 3.0.4 and 3.1.0 before 3.1.1, where improper parsing of nested SQL statements in SQLLab could allow authenticated users to bypass data authorization. The issue’s impact is elevated access to data within the authorizat...

6.5CVSS5.9AI score0.00773EPSS
CVE
CVE
added 2024/02/28 10:6 a.m.109 views

CVE-2024-27315

Summary: CVE-2024-27315 affects Apache Superset and is caused by improper error handling when an authenticated user with privileges to create Alerts triggers a database error via a crafted SQL statement, potentially exposing data in error logs. Affected versions: before 3.0.4 and 3.1.0 before 3.1...

4.3CVSS4.8AI score0.00969EPSS
CVE
CVE
added 2024/12/09 1:35 p.m.106 views

CVE-2024-53948

The CVE-2024-53948 entry concerns Apache Superset prior to 4.1.0, where error message generation can expose analytics metadata. This constitutes an information disclosure vector as described in multiple sources, with a fixed version 4.1.0 recommended by the advisories. Practical impact is informa...

5.3CVSS6.5AI score0.00787EPSS
CVE
CVE
added 2025/05/30 8:26 a.m.103 views

CVE-2025-48912

CVE-2025-48912 affects Apache Superset prior to 4.1.2. An authenticated attacker can bypass row-level security by injecting SQL into the sqlExpression fields, enabling sub-queries that bypass defenses and grant unauthorized data access. The issue is triggered by specially crafted requests and is ...

7.1CVSS7.1AI score0.0062EPSS
CVE
CVE
added 2019/12/16 9:53 p.m.102 views

CVE-2019-12413

CVE-2019-12413 affects Apache Superset prior to 0.31. A crafted complex query allows a user to query database metadata they have no access to, revealing information via an information-disclosure vulnerability. The available sources consistently describe this as a metadata/information-disclosure i...

5.3CVSS5AI score0.02779EPSS
CVE
CVE
added 2020/09/30 8:48 p.m.100 views

CVE-2020-13952

Apache Superset CVE-2020-13952 affects all versions

8.1CVSS7.7AI score0.02001EPSS
CVE
CVE
added 2019/12/16 9:52 p.m.94 views

CVE-2019-12414

CVE-2019-12414 affects Apache Incubator Superset prior to 0.32. The issue allows a user to view database names to which they have no access, exposed in a SQLLab dropdown. The connected sources confirm the affected product/version and the information-disclosure impact, but do not provide root-caus...

5.3CVSS5AI score0.02707EPSS
CVE
CVE
added 2024/01/23 3:6 p.m.92 views

CVE-2023-49657

Apache Superset prior to 3.0.3 is affected by a stored XSS vulnerability: an authenticated user with create/update permissions on charts or dashboards can store a script or HTML snippet that executes in the context of a page. Impact details in the connected sources align on stored XSS with potent...

9.6CVSS4.9AI score0.0083EPSS
CVE
CVE
added 2024/07/16 9:20 a.m.91 views

CVE-2024-39887

CVE-2024-39887 describes an SQL Injection in Apache Superset due to improper neutralization of engine-specific SQL functions. The vulnerability affects “Apache Superset” and allows bypassing SQL authorization via certain PostgreSQL functions, mitigated by a config key DISALLOWED_SQL_FUNCTIONS. Th...

9.8CVSS7.3AI score0.04433EPSS
CVE
CVE
added 2024/12/12 2:36 p.m.89 views

CVE-2024-55633

CVE-2024-55633 is an Improper Authorization vulnerability in Apache Superset. An attacker with SQLLab access to a PostgreSQL analytic database can craft a SQL DML statement that is incorrectly identified as a read-only query, allowing its execution. The issue does not affect non-PostgreSQL analyt...

7.1CVSS7.2AI score0.02562EPSS
CVE
CVE
added 2021/11/17 3:10 p.m.86 views

CVE-2021-42250

CVE-2021-42250 affects Apache Superset. The issue is improper output neutralization in a specific HTTP endpoint, allowing an authenticated user to forge log entries or inject malicious content into logs. Connected sources (NVD, OSV, GHSA, CNVD, OSV mirrors) confirm the vulnerability in Apache Sup...

6.5CVSS6.3AI score0.01761EPSS
CVE
CVE
added 2024/06/20 8:51 a.m.86 views

CVE-2024-34693

CVE-2024-34693 is an Apache Superset vulnerability described across multiple sources as an Improper Input Validation issue. An authenticated attacker can create a MariaDB connection with local_infile enabled, and if both the MariaDB server and the local MySQL client on the web server permit local...

6.8CVSS6.1AI score0.01571EPSS
CVE
CVE
added 2020/09/17 12:31 p.m.78 views

CVE-2020-13948

CVE-2020-13948 is tied to Apache Superset versions earlier than 0.37.1. An authenticated user could craft requests via templated text fields to gain arbitrary access to Python’s os package within the web application process. Impact details in the connected records show the user could enumerate an...

8.8CVSS8.6AI score0.03076EPSS
CVE
CVE
added 2025/05/13 8:21 a.m.73 views

CVE-2025-27696

The CVE-2025-27696 entry concerns Apache Superset up to version 4.1.1, where an Incorrect Authorization vulnerability lets authenticated users with read permissions take ownership of dashboards, charts, or datasets. A fix is available in 4.1.2 and later. The public details consistently describe t...

8.8CVSS8.7AI score0.00972EPSS
CVE
CVE
added 2023/11/28 5:59 p.m.68 views

CVE-2023-42504

CVE-2023-42504 describes a denial-of-service vulnerability in Apache Superset prior to 3.0.0 where an authenticated attacker can initiate multiple concurrent dashboard exports, potentially exhausting resources. Multiple connected sources (OSV, Red Hat, CNVD, GHSA advisories, etc.) corroborate a r...

6.5CVSS5.8AI score0.0114EPSS
CVE
CVE
added 2023/11/27 10:22 a.m.67 views

CVE-2023-40610

CVE-2023-40610 affects Apache Superset prior to version 2.1.2. The issue is an improper authorization check that enables privilege escalation when using the default examples database connection, which can grant access to both the examples schema and Superset metadata DB. A specially crafted CTE S...

8.8CVSS7.6AI score0.01335EPSS
CVE
CVE
added 2023/12/19 9:52 a.m.66 views

CVE-2023-49734

Apache Superset is affected by an privilege-escalation vulnerability (CVE-2023-49734) where an authenticated Gamma user can create a dashboard, add charts, and automatically become an owner of those charts, gaining write permissions. Affected versions include the prior 2.1.x line (before 2.1.2) a...

7.7CVSS6.8AI score0.00942EPSS
CVE
CVE
added 2023/11/28 4:26 p.m.65 views

CVE-2023-42505

CVE-2023-42505 affects Apache Superset prior to 3.0.0. An authenticated user with read permissions on database connections metadata could access sensitive information such as the connection username. The connected documents confirm the affected product and impact but do not provide exploit detail...

4.3CVSS4.2AI score0.01009EPSS
CVE
CVE
added 2023/11/27 10:52 a.m.61 views

CVE-2023-43701

CVE-2023-43701 affects Apache Superset up to version 2.1.1, where improper payload validation and a flawed REST API response type allow an authenticated attacker to store malicious code in chart metadata. The code could execute when a user accesses a specific deprecated API endpoint. Affected ver...

5.4CVSS4.9AI score0.01004EPSS
CVE
CVE
added 2023/12/19 9:33 a.m.59 views

CVE-2023-49736

CVE-2023-49736 describes a SQL injection vulnerability in Apache Superset caused by a vulnerable where_in JINJA macro. The issue allows an attacker to inject SQL via a quote parameter in the macro, with impact on confidentiality, integrity, and availability as described in the sources. Affected v...

8.8CVSS7.6AI score0.01178EPSS
CVE
CVE
added 2025/08/14 1:18 p.m.59 views

CVE-2025-55675

CVE-2025-55675 — Apache Superset : There is an improper access-control on the /explore endpoint. An authenticated user can enumerate metadata for datasources they lack permission to access by iterating datasource_id in the URL, leading to potential disclosure of protected datasource names. Affect...

6.5CVSS6.5AI score0.00479EPSS
CVE
CVE
added 2023/12/19 9:30 a.m.57 views

CVE-2023-46104

CVE-2023-46104 affects Apache Superset up to v2.1.2 and v3.0.0–v3.0.1. Uncontrolled resource consumption can be triggered by an authenticated attacker who uploads a malicious ZIP to import databases, dashboards, or datasets. The CVSS base shows a Medium severity (6.5) with Network access, low att...

6.5CVSS6.1AI score0.01653EPSS
CVE
CVE
added 2023/11/28 4:25 p.m.56 views

CVE-2023-42502

Affected software: Apache Superset. Vulnerability: open redirect via spoofing the HTTP Host header. Root cause: authenticated attackers with update datasets permission can modify a dataset link to point to an untrusted site, causing users to be redirected when clicking that dataset. Impact: poten...

5.4CVSS4.9AI score0.00823EPSS
CVE
CVE
added 2024/02/14 11:9 a.m.56 views

CVE-2024-23952

CVE-2024-23952 is a duplicate of CVE-2023-46104 describing an attack that triggers uncontrolled resource consumption in Apache Superset by an authenticated user uploading a malicious ZIP to import databases, dashboards or datasets. Affected versions include Superset up to 2.1.2 and 3.0.0–3.0.1. T...

6.5CVSS6.1AI score0.01699EPSS
CVE
CVE
added 2026/02/24 12:52 p.m.53 views

CVE-2026-23982

CVE-2026-23982 describes an Improper Authorization in Apache Superset where a low-privilege user can bypass data access controls during dataset creation by overwriting the SQL query of an existing dataset. Affected: Apache Superset

7.1CVSS5.8AI score0.00436EPSS
CVE
CVE
added 2023/11/27 10:23 a.m.52 views

CVE-2023-42501

Apache Superset prior to 2.1.2 is affected by CVE-2023-42501, where the Gamma role grants unnecessary read permissions, allowing authenticated users to read configured CSS templates and annotations. The vulnerability is described as an information disclosure risk with a CVSS v3.1 base score of 4....

4.3CVSS4.4AI score0.0086EPSS
CVE
CVE
added 2025/08/14 1:17 p.m.45 views

CVE-2025-55672

Summary: Apache Superset has a stored XSS in the chart visualization. An authenticated user with chart-edit permissions can inject a payload into a column label, which is executed in victims’ browsers on hover. This affects versions before 5.0.0 and can lead to session hijacking or arbitrary comm...

5.4CVSS6AI score0.00617EPSS
CVE
CVE
added 2025/08/14 1:18 p.m.44 views

CVE-2025-55674

CVE-2025-55674 affects Apache Superset up to version 5.0.0. The issue is a bypass of the DISALLOWED_SQL_FUNCTIONS denylist, allowing a user with SQL Lab access to execute blocked SQL functions and disclose sensitive information (e.g., software version). The publicly stated remediation is to upgra...

6.5CVSS7.7AI score0.00628EPSS
CVE
CVE
added 2026/02/24 12:54 p.m.32 views

CVE-2026-23980

Apache Superset CVE-2026-23980 describes an SQL injection issue (improper neutralization of special elements) that can be exploited by an authenticated user with read access via sqlExpression or where parameters. Affected software: Superset versions before 6.0.0. Impact as per CVSS: MEDIUM (5.3),...

6.5CVSS5.7AI score0.00503EPSS
CVE
CVE
added 2025/08/14 1:16 p.m.31 views

CVE-2025-55673

Apache Superset contains an information disclosure in the /chart/data response: when a guest user accesses a chart, the payload includes the underlying query, exposing database schema details (e.g., table names). This affects versions before 4.1.3. The issue is mitigated by upgrading to version 4...

5.3CVSS7.1AI score0.00519EPSS
Web
CVE
CVE
added 2026/02/24 12:51 p.m.30 views

CVE-2026-23984

CVE-2026-23984 affects Apache Superset prior to 6.0.0. An authenticated user with SQLLab access can bypass the read-only verification for PostgreSQL connections, enabling crafted statements to evade the existing DML blocks. This could allow execution of data manipulation operations that should be...

7.1CVSS5.7AI score0.00348EPSS
CVE
CVE
added 2026/02/24 12:52 p.m.24 views

CVE-2026-23983

Apache Superset (CVE-2026-23983) has an information disclosure vulnerability via the Tag endpoint (disabled by default). When the tagged objects include Users, the API may serialize and return sensitive fields such as password hashes (pbkdf2), email addresses, and login statistics to authenticate...

6.5CVSS5.5AI score0.004EPSS
CVE
CVE
added 2026/02/24 1:2 p.m.23 views

CVE-2026-23969

Apache Superset prior to 4.1.2 is affected by CVE-2026-23969 due to an incomplete default DISALLOWED_SQL_FUNCTIONS list for the ClickHouse engine, which can lead to exposure of sensitive information in SQL Lab and charts. The vulnerability’s impact is described with a CVSS 4.0 base score of 5.3 (...

6.5CVSS5.9AI score0.00607EPSS