Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZndnLXJ4ZjQtOTdjM80WMg
Open Redirect in Apache Superset
Apache Superset prior to 1.1.0 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
Permalink: https://github.com/advisories/GHSA-pfwg-rxf4-97c3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZndnLXJ4ZjQtOTdjM80WMg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-pfwg-rxf4-97c3, CVE-2021-28125
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-28125
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/04/27/2
- https://github.com/apache/superset/commit/eb35b804acf4d84cb70d02743e04b8afebbee029
- https://github.com/advisories/GHSA-pfwg-rxf4-97c3
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-128.yaml
Blast Radius: 8.2
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 157,096 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 0.34.0, 0.34.1, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1
All unaffected versions: 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0
pypi:superset
Dependent packages: 1Dependent repositories: 21
Downloads: 1,516 last month
Affected Version Ranges: <= 0.34.0
No known fixed version
All affected versions: 0.13.2, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.3, 0.15.4, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.18.0, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.26.2, 0.26.3, 0.27.0, 0.28.0, 0.28.1, 0.30.0, 0.30.1