Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05ODMyLW1nZzQtM2dyNs4AA1um
Apache Superset has improper default REST API permission for Gamma users
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.
Permalink: https://github.com/advisories/GHSA-9832-mgg4-3gr6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ODMyLW1nZzQtM2dyNs4AA1um
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Identifiers: GHSA-9832-mgg4-3gr6, CVE-2023-36387
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36387
- https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3
- https://github.com/apache/superset/pull/24185
- https://github.com/advisories/GHSA-9832-mgg4-3gr6
Blast Radius: 7.2
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 158,267 last month
Affected Version Ranges: <= 2.1.0
No known fixed version
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0