CVE-2021-41971

CWE-89SQL Injection5 documents4 sources
Severity
8.8HIGH
EPSS
0.6%
top 31.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedOct 18
Latest updateMay 24

Description

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

PyPIapache-superset< 1.3.1
CVEListV5apache_software_foundation/apache_supersetApache Superset1.3.1
NVDapache/superset1.3.0

🔴Vulnerability Details

4
GHSA
Apache Superset SQL Injection when template processing is enabled2022-05-24
OSV
Apache Superset SQL Injection when template processing is enabled2022-05-24
OSV
CVE-2021-41971: Apache Superset up to and including 12021-10-18
CVEList
Possible SQL Injection when template processing is enabled2021-10-18
CVE-2021-41971 (HIGH CVSS 8.8) | Apache Superset up to and including | cvebase.io