GHSA-392c-vjfv-h7wr

Source

https://github.com/advisories/GHSA-392c-vjfv-h7wr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-392c-vjfv-h7wr/GHSA-392c-vjfv-h7wr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-392c-vjfv-h7wr

Withdrawn

2024-01-10T19:16:30Z

Published

2023-11-27T12:30:55Z

Modified

2025-02-13T19:35:28.353776Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

Duplicate Advisory: Apache Superset - Elevation of Privilege

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f678-j579-4xf5. This link is maintained to preserve external references.

Original Description

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

Database specific

{
    "nvd_published_at": "2023-11-27T11:15:07Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:57:14Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.2

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0

2.1.1rc1

2.1.1rc2

2.1.1rc3

2.1.1