CVE-2023-30776

CWE-522 — Insufficiently Protected Credentials CWE-200 — Information Exposure4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 48.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedApr 24

Latest updateJul 6

Description

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶PyPIapache-superset1.3.0 — 2.1.0

▶NVDapache/superset1.3.0 — 2.0.1

▶CVEListV5apache_software_foundation/apache_superset1.3.0 — 2.0.1

🔴Vulnerability Details

GHSA

Apache Superset vulnerable to Exposure of Sensitive Information↗2023-07-06

▶

OSV

Apache Superset vulnerable to Exposure of Sensitive Information↗2023-07-06

▶

CVEList

Apache Superset: Database connection password leak↗2023-04-24

▶