CVE-2023-36387

CWE-863 — Incorrect Authorization CWE-281 CWE-918 — Server-Side Request Forgery (SSRF)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 94.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedSep 6

Description

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDapache/superset2.1.0

▶PyPIapache-superset2.1.0

▶CVEListV5apache_software_foundation/apache_superset2.1.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Apache Superset has improper default REST API permission for Gamma users↗2023-09-06

▶

GHSA

Apache Superset has improper default REST API permission for Gamma users↗2023-09-06

▶

CVEList

Apache Superset: Improper API permission for low privilege users↗2023-09-06

▶