[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-40610: Apache Superset: Privilege escalation with default examples database
From: Daniel Gaspar <dpgaspar () apache ! org>
Date: 2023-11-27 9:31:05
Message-ID: ec83c66b-4748-f48b-7396-e9fd654ffdff () apache ! org
[Download RAW message or body]
Affected versions:
- Apache Superset before 2.1.2
Description:
Improper authorization check and possible privilege escalation on Apache Superset up to but \
excluding 2.1.2. Using the default examples database connection that allows access to both the \
examples schema and Apache Superset's metadata database, an attacker using a specially crafted \
CTE SQL statement could change data on the metadata database. This weakness could result on \
tampering with the authentication/authorization data.
Credit:
LEXFO for Orange Innovation and Orange CERT-CC at Orange group (finder)
References:
https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-40610
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic