CVE-2023-32672

Source
https://cve.org/CVERecord?id=CVE-2023-32672
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32672.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-32672
Aliases
Published
2023-09-06T13:16:02.396Z
Modified
2026-07-08T06:27:10.205833054Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset: SQL parser edge case bypasses data access authorization
Details

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32672.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-863"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "2.1.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/apache/superset

Affected ranges

Type
GIT
Repo
https://github.com/apache/superset
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

0.*
0.10.0
0.11.0
0.12.0
0.13.1
0.13.2
0.14.1
0.15.0
0.15.1
0.15.3
0.15.4
0.15.4.1
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.18.2
0.18.3
0.18.4
0.18.5
0.19.1
0.2.1
0.20.1
0.25-fork
0.29.0rc1
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.7.0
0.8.0
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.9.0
0.9.1
2.*
2.1.0
2.1.0rc2
2.1.0rc3
2020.*
2020.51.1
airbnb_prod.*
airbnb_prod.0.10.0.2
airbnb_prod.0.11.0.1
airbnb_prod.0.11.0.2
airbnb_prod.0.11.0.3
airbnb_prod.0.11.0.4
airbnb_prod.0.11.0.5
airbnb_prod.0.11.0.6
airbnb_prod.0.12.0.1
airbnb_prod.0.12.1.0
airbnb_prod.0.13.0.0
airbnb_prod.0.13.0.1
airbnb_prod.0.13.0.2
airbnb_prod.0.13.0.3
airbnb_prod.0.15.0.1
airbnb_prod.0.15.4.1
airbnb_prod.0.15.4.2
airbnb_prod.0.15.5.0
Other
dummy
rm
test_tag
superset-helm-chart-0.*
superset-helm-chart-0.1.0
superset-helm-chart-0.1.1
superset-helm-chart-0.1.2
superset-helm-chart-0.1.3
superset-helm-chart-0.1.4
superset-helm-chart-0.1.5
superset-helm-chart-0.1.6
superset-helm-chart-0.2.0
superset-helm-chart-0.2.1
superset-helm-chart-0.3.0
superset-helm-chart-0.3.1
superset-helm-chart-0.3.10
superset-helm-chart-0.3.11
superset-helm-chart-0.3.12
superset-helm-chart-0.3.2
superset-helm-chart-0.3.3
superset-helm-chart-0.3.4
superset-helm-chart-0.3.5
superset-helm-chart-0.3.6
superset-helm-chart-0.3.7
superset-helm-chart-0.3.8
superset-helm-chart-0.3.9
superset-helm-chart-0.4.0
superset-helm-chart-0.5.0
superset-helm-chart-0.5.1
superset-helm-chart-0.5.10
superset-helm-chart-0.5.2
superset-helm-chart-0.5.3
superset-helm-chart-0.5.4
superset-helm-chart-0.5.5
superset-helm-chart-0.5.6
superset-helm-chart-0.5.7
superset-helm-chart-0.5.8
superset-helm-chart-0.5.9
superset-helm-chart-0.6.0
superset-helm-chart-0.6.1
superset-helm-chart-0.6.2
superset-helm-chart-0.6.3
superset-helm-chart-0.6.4
superset-helm-chart-0.6.5
superset-helm-chart-0.6.6
superset-helm-chart-0.7.0
superset-helm-chart-0.7.1
superset-helm-chart-0.7.2
superset-helm-chart-0.7.3
superset-helm-chart-0.7.4
superset-helm-chart-0.7.6
superset-helm-chart-0.7.7
superset-helm-chart-0.8.0
superset-helm-chart-0.8.1
superset-helm-chart-0.8.2
superset-helm-chart-0.8.3
superset-helm-chart-0.8.4
superset-helm-chart-0.8.5
superset-helm-chart-0.8.6
v2020.*
v2020.51.0
v2021.*
v2021.10.0
v2021.13.0
v2021.15.0
v2021.17.0
v2021.18.0
v2021.19.0
v2021.20.0
v2021.21.0
v2021.22.0
v2021.23.0
v2021.23.1
v2021.24.0
v2021.25.0
v2021.27.0
v2021.27.1
v2021.29.0
v2021.3.0
v2021.31.0
v2021.34.0
v2021.35.0
v2021.36.0
v2021.36.5
v2021.38.0
v2021.40.0
v2021.41.0
v2021.5.0
v2021.5.1
v2021.6.0
v2021.7.0
v2021.8.0
v2021.9.0
v2021.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32672.json"