CVE-2023-42501 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00072 pctl0.22439

Details

Apache Superset has Incorrect Default Permissions Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.

Metadata

Created: 2023-11-27T12:30:55Z
Modified: 2025-02-13T19:25:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vv65-fjfj-4736/GHSA-vv65-fjfj-4736.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-vv65-fjfj-4736
Finding: F164
Auto approve: 1