Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nNDlqLWo0ODktM3hwZs4AA35g

Apache Superset incorrect write permissions vulnerability

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.3, from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.

Permalink: https://github.com/advisories/GHSA-g49j-j489-3xpf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNDlqLWo0ODktM3hwZs4AA35g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

EPSS Percentage: 0.00045
EPSS Percentile: 0.17588

Identifiers: GHSA-g49j-j489-3xpf, CVE-2023-49734
References:

Repository: https://github.com/apache/superset
Blast Radius: 10.3

Affected Packages

pypi:apache-superset

Dependent packages: 5
Dependent repositories: 22
Downloads: 180,664 last month
Affected Version Ranges: >= 3.0.0, < 3.0.2, < 2.1.3
Fixed in: 3.0.2, 2.1.3
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 3.0.0, 3.0.1
All unaffected versions: 2.1.3, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1