CVE-2024-27315 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <3.0.4 || >=3.1.0 <3.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00089 pctl0.26361

Details

Apache Superset: Improper error handling on alerts An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Metadata

Created: 2024-02-28T12:30:25Z
Modified: 2024-10-03T18:06:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-h7r6-8qmm-hj5r/GHSA-h7r6-8qmm-hj5r.json
CWE IDs: ["CWE-200", "CWE-209"]
Alternative ID: GHSA-h7r6-8qmm-hj5r
Finding: F310
Auto approve: 1