Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-44451

CWE-522Insufficiently Protected Credentials6 documents5 sources
Severity
6.5MEDIUM
EPSS
75.3%
top 1.11%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedFeb 1
Latest updateFeb 2

Description

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

PyPIapache-superset< 1.4.0
NVDapache/superset1.3.2
CVEListV5apache_software_foundation/apache_supersetApache Superset1.3.2

🔴Vulnerability Details

4
GHSA
Insufficiently Protected Credentials in Apache Superset2022-02-02
OSV
Insufficiently Protected Credentials in Apache Superset2022-02-02
CVEList
API sensitive information leak2022-02-01
OSV
CVE-2021-44451: Apache Superset up to and including 12022-02-01

💥Exploits & PoCs

1
Nuclei
Apache Superset <=1.3.2 - Default Login
CVE-2021-44451 (MEDIUM CVSS 6.5) | Apache Superset up to and including | cvebase.io