CVE-2023-43701 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00129 pctl0.33053

Details

Apache Superset Cross-site Scripting vulnerability Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.  Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Metadata

Created: 2023-11-27T12:30:55Z
Modified: 2023-11-28T20:53:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wq8q-99p5-xfrw/GHSA-wq8q-99p5-xfrw.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-wq8q-99p5-xfrw
Finding: F425
Auto approve: 1