Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NDhyLTVyOHEtMjczbc4AAtJB
Apache Superset allows authenticated users to access metadata they have no permission to
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.
Permalink: https://github.com/advisories/GHSA-748r-5r8q-273mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NDhyLTVyOHEtMjczbc4AAtJB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-748r-5r8q-273m, CVE-2021-37839
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-37839
- https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82
- https://github.com/apache/superset/commit/2bd89d1705347da5446902a3f65eb8d0a6353503
- https://github.com/advisories/GHSA-748r-5r8q-273m
Blast Radius: 5.8
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 157,968 last month
Affected Version Ranges: < 1.5.1
Fixed in: 1.5.1
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0
All unaffected versions: 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0