CVE-2023-42502 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <3.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00057 pctl0.17713

Details

Apache Superset Open Redirect vulnerability An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

Metadata

Created: 2023-11-28T18:30:23Z
Modified: 2023-12-05T21:56:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-hc74-9vjm-c9xv/GHSA-hc74-9vjm-c9xv.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-hc74-9vjm-c9xv
Finding: F100
Auto approve: 1