Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tNmptLTN2MzgtNzZqNM4AA5la

Moderate EPSS: 0.00515% (0.65678 Percentile) EPSS:
Permalink JSON

Apache Superset: Improper Neutralization of custom SQL on embedded context

Affected Packages Affected Versions Fixed Versions
pypi:apache-superset
PURL: pkg:pypi/apache-superset
>= 3.1.0, < 3.1.1, <= 3.0.3 3.1.1, 3.0.4
5 Dependent packages
22 Dependent repositories
250,328 Downloads last month

Affected Version Ranges

All affected versions

0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0

All unaffected versions

3.0.4, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.4, 5.0.0

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

References:

Identifiers

GHSA-m6jm-3v38-76j4

CVE-2024-24772

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00515

EPSS Percentile: 0.65678

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 1 year ago

Updated

7 months ago

API

JSON