Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oYzc0LTl2am0tYzl4ds4AA3Zp
Apache Superset Open Redirect vulnerability
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.
Permalink: https://github.com/advisories/GHSA-hc74-9vjm-c9xvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oYzc0LTl2am0tYzl4ds4AA3Zp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-hc74-9vjm-c9xv, CVE-2023-42502
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-42502
- https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn
- http://www.openwall.com/lists/oss-security/2023/11/28/3
- https://github.com/advisories/GHSA-hc74-9vjm-c9xv
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 158,267 last month
Affected Version Ranges: < 3.0.0
Fixed in: 3.0.0
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0