CVE-2024-24779

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 67.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedFeb 28

Description

Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages3 packages

▶NVDapache/superset3.1.0 — 3.1.1+1

▶PyPIapache-superset3.1.0 — 3.1.1+1

▶CVEListV5apache_software_foundation/apache_superset3.1.0 — 3.1.1+1

🔴Vulnerability Details

GHSA

Apache Superset: Improper data authorization when creating a new dataset↗2024-02-28

▶

OSV

Apache Superset: Improper data authorization when creating a new dataset↗2024-02-28

▶

CVEList

Apache Superset: Improper data authorization when creating a new dataset↗2024-02-28

▶