PYSEC-2020-224

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2020-224.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-224

Aliases

BIT-superset-2020-1932
CVE-2020-1932
GHSA-fxjm-wvj9-9c39

Published

2020-01-28T01:15:00Z

Modified

2025-02-05T09:12:01.670694Z

Summary

[none]

Details

An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.

References

https://lists.apache.org/thread.html/r4e5323c3bc786005495311a6ff53ac6d990b2c7eb52941a1a13ce227%40%3Cdev.superset.apache.org%3E
https://github.com/advisories/GHSA-fxjm-wvj9-9c39

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.35.2

Affected versions

0.*

0.34.0

0.34.1

0.35.1