CVE-2024-28148 — Incorrect Authorization in Software Foundation Apache Superset

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 76.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedMay 7

Description

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/superset< 4.0.0

▶CVEListV5apache_software_foundation/apache_superset< 3.1.2

🔴Vulnerability Details

GHSA

Apache Superset Incorrect Authorization vulnerability↗2024-05-07

▶

CVEList

Apache Superset: Incorrect datasource authorization on explore REST API↗2024-05-07

▶

OSV

Apache Superset Incorrect Authorization vulnerability↗2024-05-07

▶