CVE-2020-13952Sensitive Information Exposure in Apache Superset

CWE-200Sensitive Information Exposure5 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 68.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SupersetApache Software Foundation Apache Superset
Timeline
PublishedSep 30
Latest updateApr 30

Description

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connecti

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDapache/superset< 0.37.2
CVEListV5apache_software_foundation/apache_supersetApache Superset < 0.37.2

🔴Vulnerability Details

4
GHSA
Plaintext password leak in Apache Superset2021-04-30
OSV
Plaintext password leak in Apache Superset2021-04-30
OSV
CVE-2020-13952: In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines c2020-09-30
CVEList
CVE-2020-13952: In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines c2020-09-30
CVE-2020-13952 — Sensitive Information Exposure | cvebase