'[oss-security] CVE-2023-40610: Apache Superset: Privilege escalation with default examples database'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-40610: Apache Superset: Privilege escalation with default examples database
From:       Daniel Gaspar <dpgaspar () apache ! org>
Date:       2023-11-27 9:31:05
Message-ID: ec83c66b-4748-f48b-7396-e9fd654ffdff () apache ! org
[Download RAW message or body]

Affected versions:

- Apache Superset before 2.1.2

Description:

Improper authorization check and possible privilege escalation on Apache Superset  up to but \
excluding 2.1.2. Using the default examples database connection that allows access to both the \
examples schema and Apache Superset's metadata database, an attacker using a specially crafted \
CTE SQL statement could change data on the metadata database. This weakness could result on \
tampering with the authentication/authorization data.

Credit:

LEXFO for Orange Innovation and Orange CERT-CC  at Orange group (finder)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-40610

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic