CVE-2023-36387 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <=2.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H

EPSS: 0.00019 pctl0.03519

Details

Apache Superset has improper default REST API permission for Gamma users An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Metadata

Created: 2023-09-06T15:30:26Z
Modified: 2023-09-07T13:59:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-9832-mgg4-3gr6/GHSA-9832-mgg4-3gr6.json
CWE IDs: ["CWE-281", "CWE-863", "CWE-918"]
Alternative ID: GHSA-9832-mgg4-3gr6
Finding: F100
Auto approve: 1