Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NDhyLTVyOHEtMjczbc4AAtJB
Apache Superset allows authenticated users to access metadata they have no permission to
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.
Permalink: https://github.com/advisories/GHSA-748r-5r8q-273mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NDhyLTVyOHEtMjczbc4AAtJB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00064
EPSS Percentile: 0.29743
Identifiers: GHSA-748r-5r8q-273m, CVE-2021-37839
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-37839
- https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82
- https://github.com/apache/superset/commit/2bd89d1705347da5446902a3f65eb8d0a6353503
- https://github.com/advisories/GHSA-748r-5r8q-273m
Blast Radius: 5.8
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 180,664 last month
Affected Version Ranges: < 1.5.1
Fixed in: 1.5.1
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0
All unaffected versions: 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1