Lucene search

GitHub Advisory DatabaseGHSA-9832-MGG4-3GR6

HistorySep 06, 2023 - 3:30 p.m.

Apache Superset has improper default REST API permission for Gamma users

2023-09-0615:30:26

CWE-281

CWE-863

CWE-918

GitHub Advisory Database

github.com

apache superset

rest api

gamma users

database connections

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

40.6%

JSON

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Affected configurations

Vulners

Node

apachesupersetRange≤2.1.0

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

github.com/advisories/GHSA-9832-mgg4-3gr6

github.com/apache/superset/pull/24185

lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3

nvd.nist.gov/vuln/detail/CVE-2023-36387

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

40.6%

JSON

Related for GHSA-9832-MGG4-3GR6