GHSA-hhm3-48h2-597v

Source

https://github.com/advisories/GHSA-hhm3-48h2-597v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hhm3-48h2-597v

Aliases

Published

2022-02-02T00:01:46Z

Modified

2025-02-05T09:11:53.522676Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Insufficiently Protected Credentials in Apache Superset

Details

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

Database specific

{
    "github_reviewed_at": "2022-02-03T17:20:28Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2022-02-01T14:15:00Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2