Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05ODMyLW1nZzQtM2dyNs4AA1um
Apache Superset has improper default REST API permission for Gamma users
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.
Permalink: https://github.com/advisories/GHSA-9832-mgg4-3gr6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ODMyLW1nZzQtM2dyNs4AA1um
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Percentage: 0.00222
EPSS Percentile: 0.59989
Identifiers: GHSA-9832-mgg4-3gr6, CVE-2023-36387
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36387
- https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3
- https://github.com/apache/superset/pull/24185
- https://github.com/advisories/GHSA-9832-mgg4-3gr6
Blast Radius: 7.2
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 180,664 last month
Affected Version Ranges: <= 2.1.0
No known fixed version
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0