CVE-2021-41972 — Insufficiently Protected Credentials in Software Foundation Apache Superset

CWE-522 — Insufficiently Protected Credentials5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedNov 12

Latest updateMay 24

Description

Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/superset1.3.1

▶CVEListV5apache_software_foundation/apache_supersetApache Superset — 1.3.1

🔴Vulnerability Details

OSV

Apache Superset allowed for database connections password leak for authenticated users↗2022-05-24

▶

GHSA

Apache Superset allowed for database connections password leak for authenticated users↗2022-05-24

▶

CVEList

Credentials leak↗2021-11-12

▶

OSV

CVE-2021-41972: Apache Superset up to and including 1↗2021-11-12

▶