CVE-2023-36388 — Server-Side Request Forgery in Software Foundation Apache Superset

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.3

EPSS

0.1%

top 68.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedSep 6

Description

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDapache/superset2.1.0

▶CVEListV5apache_software_foundation/apache_superset2.1.0

🔴Vulnerability Details

OSV

Apache Superset Server Side Request Forgery vulnerability↗2023-09-06

▶

GHSA

Apache Superset Server Side Request Forgery vulnerability↗2023-09-06

▶

CVEList

Apache Superset: Improper API permission for low privilege users allows for SSRF↗2023-09-06

▶