CVE-2024-27315

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-27315

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27315.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-27315

Aliases

Published

2024-02-28T10:15:09Z

Modified

2025-02-05T09:11:46.804132Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

References

Affected packages

Git / github.com/apache/incubator-superset

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-superset
Events: Introduced

0cd2431989f2d0182c02f33c88a5dc9645403980

Fixed

49fee6c776fb742acf6a9a5c59ee2cf8d257f89b

Type: GIT
Repo: https://github.com/apache/superset
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7f0decb259241f932cb940da454b174b735272ab