Lucene search

[email protected]NVD:CVE-2023-49736

HistoryDec 19, 2023 - 10:15 a.m.

CVE-2023-49736

2023-12-1910:15:08

CWE-89

[email protected]

web.nvd.nist.gov

apache superset

sql injection

upgrade

cve-2023-49736

jinja macro

security issue

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.0%

JSON

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Affected configurations

Nvd

Node

apachesupersetRange<2.1.2

apachesupersetRange3.0.0–3.0.2

VendorProductVersionCPE
apachesuperset*cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	superset	*	cpe:2.3:a:apache:superset::::::::

References

www.openwall.com/lists/oss-security/2023/12/19/2

lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.0%

JSON

Related for NVD:CVE-2023-49736

prion1 github1 osv2 cvelist1 cnvd1 veracode1 cve1