GHSA-vv65-fjfj-4736

Source

https://github.com/advisories/GHSA-vv65-fjfj-4736

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vv65-fjfj-4736/GHSA-vv65-fjfj-4736.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vv65-fjfj-4736

Aliases

Published

2023-11-27T12:30:55Z

Modified

2025-02-13T19:33:15.977945Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Apache Superset has Incorrect Default Permissions

Details

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.

Database specific

{
    "nvd_published_at": "2023-11-27T11:15:07Z",
    "cwe_ids": [
        "CWE-276"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T20:53:25Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.2

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0

2.1.1rc1

2.1.1rc2

2.1.1rc3

2.1.1