Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZnhqLXhmNjcteDcyM84AA35f
Apache Superset SQL injection vulnerability
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.3, from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 2.1.3 or 3.0.2, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-jfxj-xf67-x723JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZnhqLXhmNjcteDcyM84AA35f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-jfxj-xf67-x723, CVE-2023-49736
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49736
- https://lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p
- https://github.com/apache/superset/pull/25779
- https://github.com/apache/superset/commit/1d403dab9822a8cee6108669c53e53fad881c751
- https://github.com/apache/superset/commit/34101594e284ab3acce692f41aff7759ccb4bf1d
- http://www.openwall.com/lists/oss-security/2023/12/19/2
- https://github.com/advisories/GHSA-jfxj-xf67-x723
Blast Radius: 8.7
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 158,267 last month
Affected Version Ranges: >= 3.0.0, < 3.0.2, < 2.1.3
Fixed in: 3.0.2, 2.1.3
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 3.0.0, 3.0.1
All unaffected versions: 2.1.3, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0