CVE-2022-41703 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <=1.5.2 || =2.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00113 pctl0.30584

Details

Apache Superset's SQL Alchemy connector vulnerable to SQL Injection A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Metadata

Created: 2023-01-16T12:30:18Z
Modified: 2025-04-08T22:02:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-cxvp-3frm-3876/GHSA-cxvp-3frm-3876.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-cxvp-3frm-3876
Finding: F297
Auto approve: 1