Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13cThxLTk5cDUteGZyd84AA3Xf
Apache Superset Cross-site Scripting vulnerability
Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cThxLTk5cDUteGZyd84AA3Xf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-wq8q-99p5-xfrw, CVE-2023-43701
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43701
- https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892
- http://www.openwall.com/lists/oss-security/2023/11/27/4
- https://www.openwall.com/lists/oss-security/2023/11/27/4
- https://github.com/advisories/GHSA-wq8q-99p5-xfrw
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 158,267 last month
Affected Version Ranges: < 2.1.2
Fixed in: 2.1.2
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1
All unaffected versions: 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0