CVE-2023-25504 — Server-Side Request Forgery in Software Foundation Apache Superset

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.9

EPSS

0.0%

top 87.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedApr 17

Latest updateJul 6

Description

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/superset2.0.1

▶CVEListV5apache_software_foundation/apache_superset2.0.1

🔴Vulnerability Details

OSV

Apache Superset Server-Side Request Forgery vulnerability↗2023-07-06

▶

GHSA

Apache Superset Server-Side Request Forgery vulnerability↗2023-07-06

▶

CVEList

Apache Superset: Possible SSRF on import datasets↗2023-04-17

▶