CVE-2023-49736
published 2023-12-19CVE-2023-49736: A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2.
Users are recommended to upgrade to version 3.0.2, which fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | superset | < 2.1.2 | 2.1.2 |
| apache | superset | >= 3.0.0 < 3.0.2 | 3.0.2 |
| apache_software_foundation | apache_superset | < 2.1.2 | 2.1.2 |
| apache_software_foundation | apache_superset | >= 3.0.0 < 3.0.2 | 3.0.2 |