Lucene search

Veracode Vulnerability DatabaseVERACODE:43227

HistorySep 12, 2023 - 7:13 a.m.

Improper Input Validation

2023-09-1207:13:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

improper input validation

apache-superset

sqlite database

unintended file creation

webservers

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.6%

JSON

apache-superset is vulnerable to Improper Input Validation. The vulnerability allows an attacker to trick a user into potentially registering a SQLite database connection incorrectly if an attacker employs alternative driver names such as sqlite+pysqlite or utilizes database imports. This vulnerability may enable unintended file creation on Superset webservers.

CPENameOperatorVersion
apache-supersetle2.1.0
apache-supersetle2.1.0

CPE	Name	Operator	Version
	apache-superset	le	2.1.0
	apache-superset	le	2.1.0

References

packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

github.com/advisories/GHSA-fm4q-j8g4-c9j4

github.com/apache/superset/commit/831978f0f749d04cb786ec963678792dd6870d25

lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.6%

JSON

Related for VERACODE:43227