CVE-2023-39265 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <=2.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.72072 pctl0.98697

Details

Apache Superset Improper Input Validation vulnerability Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.

Metadata

Created: 2023-09-06T15:30:27Z
Modified: 2023-10-13T20:09:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-fm4q-j8g4-c9j4/GHSA-fm4q-j8g4-c9j4.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-fm4q-j8g4-c9j4
Finding: F184
Auto approve: 1