CVE-2024-55633

CWE-863Incorrect AuthorizationCWE-2854 documents4 sources
Severity
7.1HIGH
EPSS
1.0%
top 22.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedDec 12

Description

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fix

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDapache/superset< 4.1.0
PyPIapache-superset< 4.1.0

🔴Vulnerability Details

3
OSV
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access2024-12-12
GHSA
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access2024-12-12
CVEList
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access2024-12-12
CVE-2024-55633 (HIGH CVSS 7.1) | Improper Authorization vulnerabilit | cvebase.io