CVE-2024-24773 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <3.0.4 || >=3.1.0 <3.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00099 pctl0.28126

Details

Apache Superset: Improper validation of SQL statements allows for unauthorized access to data Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Metadata

Created: 2024-02-28T12:30:26Z
Modified: 2025-02-13T19:10:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-5474-f7g5-273q/GHSA-5474-f7g5-273q.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-5474-f7g5-273q
Finding: F006
Auto approve: 1