Lucene search

GitHub Advisory DatabaseGHSA-FCG4-PM6H-9XX2

HistoryJan 16, 2023 - 12:30 p.m.

Apache Superset Open Redirect vulnerability

2023-01-1612:30:17

CWE-601

GitHub Advisory Database

github.com

apache superset

open redirect

vulnerability

update datasets permission

untrusted site

version 1.5.2

version 2.0.0

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.9%

JSON

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected configurations

Vulners

Node

apachesupersetMatch2.0.0

apachesupersetRange≤1.5.2

VendorProductVersionCPE
apachesuperset2.0.0cpe:2.3:a:apache:superset:2.0.0:*:*:*:*:*:*:*
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	2.0.0	cpe:2.3:a:apache:superset:2.0.0:::::::*
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

github.com/advisories/GHSA-fcg4-pm6h-9xx2

lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg

nvd.nist.gov/vuln/detail/CVE-2022-43721