CVE-2023-39265

CWE-20Improper Input Validation5 documents5 sources
Severity
6.5MEDIUM
EPSS
74.1%
top 1.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedSep 6

Description

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages3 packages

NVDapache/superset2.1.0
PyPIapache-superset2.1.0

🔴Vulnerability Details

4
GHSA
Apache Superset Improper Input Validation vulnerability2023-09-06
OSV
Apache Superset Improper Input Validation vulnerability2023-09-06
CVEList
Apache Superset: Possible Unauthorized Registration of SQLite Database Connections2023-09-06
VulnCheck
Apache superset Improper Input Validation2023
CVE-2023-39265 (MEDIUM CVSS 6.5) | Apache Superset would allow for SQL | cvebase.io