[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-41971: Apache Superset: Possible SQL Injection when template processing is e
From:       Daniel Gaspar <dpgaspar () apache ! org>
Date:       2021-10-15 13:06:39
Message-ID: 32945ab5-3cec-2ba1-cc35-b01dec67ed86 () apache ! org
[Download RAW message or body]

Severity: low

Description:

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on \
(disabled by default) allowed SQL injection when a malicious authenticated user sends an http \
request with a custom URL.


Mitigation:

Don't enable ENABLE_TEMPLATE_PROCESSING (disabled by default).
Or upgrade to Apache Superset 1.3.1 

Credit:

Apache Superset would like to thank Kevin Kusnardi for reporting this issue


[prev in list] [next in list] [prev in thread] [next in thread]