GHSA-4fg9-5w46-xmrj

Source

https://github.com/advisories/GHSA-4fg9-5w46-xmrj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4fg9-5w46-xmrj/GHSA-4fg9-5w46-xmrj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4fg9-5w46-xmrj

Aliases

Published

2023-09-06T15:30:26Z

Modified

2025-02-05T09:11:45.447970Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Apache Superset Server Side Request Forgery vulnerability

Details

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-08T12:18:25Z",
    "nvd_published_at": "2023-09-06T13:15:08Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.1.0

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4fg9-5w46-xmrj/GHSA-4fg9-5w46-xmrj.json"