BIT-superset-2025-48912

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/superset/BIT-superset-2025-48912.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-superset-2025-48912

Aliases

Published

2025-06-03T15:03:14.788Z

Modified

2025-06-03T16:59:25.476054Z

Summary

Apache Superset: Improper authorization bypass on row level security via SQL Injection

Details

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:apache:superset:*:*:*:*:*:python:*:*"
    ]
}

References

Affected packages

Bitnami / superset

Package

Name: superset
Purl: pkg:bitnami/superset

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.2