CVE-2023-42501 — Incorrect Default Permissions in Software Foundation Apache Superset

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 76.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedNov 27

Description

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/superset< 2.1.1

▶CVEListV5apache_software_foundation/apache_superset< 2.1.2

🔴Vulnerability Details

GHSA

Apache Superset has Incorrect Default Permissions↗2023-11-27

▶

CVEList

Apache Superset: Unnecessary read permissions within the Gamma role↗2023-11-27

▶

OSV

Apache Superset has Incorrect Default Permissions↗2023-11-27

▶