Lucene search

GitHub Advisory DatabaseGHSA-WR6G-9WCR-CMQJ

HistoryFeb 28, 2024 - 12:30 p.m.

Apache Superset: Improper data authorization when creating a new dataset

2024-02-2812:30:27

CWE-863

GitHub Advisory Database

github.com

apache superset

data authorization

virtual datasets

unauthorized access

security issue

upgrade.

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.0%

JSON

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they don’t have access to. These users could then use those virtual datasets to get access to unauthorized data.
This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected configurations

Vulners

Node

apachesupersetRange3.1.0–3.1.1

apachesupersetRange≤3.0.3

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

www.openwall.com/lists/oss-security/2024/02/28/6

github.com/advisories/GHSA-wr6g-9wcr-cmqj

lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq

nvd.nist.gov/vuln/detail/CVE-2024-24779

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-WR6G-9WCR-CMQJ