Lucene search

Veracode Vulnerability DatabaseVERACODE:43187

HistorySep 08, 2023 - 5:57 a.m.

Incorrect Authorization

2023-09-0805:57:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache superset

incorrect authorization

import_chart

user permissions

authenticated attacker

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

28.0%

JSON

Apache Superset is vulnerable to Incorrect Authorization. The vulnerability is caused by a missing user permissions check in the import_chart method inside superset/charts/commands/importers/v1/utils.py. A non admin authenticated attacker can create resources incorrectly while using the import charts feature to exploiting this vulnerability.

CPENameOperatorVersion
apache-supersetle2.1.0
apache-supersetle2.1.0

CPE	Name	Operator	Version
	apache-superset	le	2.1.0
	apache-superset	le	2.1.0

References

github.com/advisories/GHSA-9qc3-p9jq-2x27

github.com/apache/superset/commit/cfc2ca672e7cea0e461b0b37be5174f88e6468ca

lists.apache.org/thread/ndww89yl2jd98lvn23n9cj722lfdg8dv

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

28.0%

JSON

Related for VERACODE:43187