CVE-2023-36388 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <=2.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00099 pctl0.28136

Details

Apache Superset Server Side Request Forgery vulnerability Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

Metadata

Created: 2023-09-06T15:30:26Z
Modified: 2023-09-08T12:18:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4fg9-5w46-xmrj/GHSA-4fg9-5w46-xmrj.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-4fg9-5w46-xmrj
Finding: F100
Auto approve: 1