CVE-2023-42505 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <3.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0003 pctl0.06934

Details

Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.

Metadata

Created: 2023-11-28T18:30:23Z
Modified: 2025-02-13T19:25:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fgpw-4w69-j256/GHSA-fgpw-4w69-j256.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-fgpw-4w69-j256
Finding: F038
Auto approve: 1