CVE-2023-40610

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGH

EPSS

0.3%

top 45.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedNov 27

Latest updateNov 28

Description

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages3 packages

▶NVDapache/superset< 2.1.2

▶PyPIapache-superset< 2.1.2

▶CVEListV5apache_software_foundation/apache_superset< 2.1.2

🔴Vulnerability Details

GHSA

Apache Superset - Elevation of Privilege↗2023-11-28

▶

OSV

Apache Superset - Elevation of Privilege↗2023-11-28

▶

CVEList

Apache Superset: Privilege escalation with default examples database↗2023-11-27

▶