Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4am0td3ZqOS05YzM5
Information disclosure in Apache Superset
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
Permalink: https://github.com/advisories/GHSA-fxjm-wvj9-9c39JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ4am0td3ZqOS05YzM5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: 5 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00047
EPSS Percentile: 0.19525
Identifiers: GHSA-fxjm-wvj9-9c39, CVE-2020-1932
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1932
- https://lists.apache.org/thread.html/r4e5323c3bc786005495311a6ff53ac6d990b2c7eb52941a1a13ce227%40%3Cdev.superset.apache.org%3E
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-224.yaml
- https://github.com/advisories/GHSA-fxjm-wvj9-9c39
Affected Packages
pypi:apache-superset
Dependent packages: 5Dependent repositories: 22
Downloads: 180,664 last month
Affected Version Ranges: >= 0.34.0, < 0.35.2
Fixed in: 0.35.2
All affected versions: 0.34.0, 0.34.1, 0.35.1
All unaffected versions: 0.35.2, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.38.0, 0.38.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1