PYSEC-2021-128

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2021-128.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2021-128

Aliases

BIT-superset-2021-28125
CVE-2021-28125
GHSA-pfwg-rxf4-97c3

Published

2021-04-27T10:15:00Z

Modified

2025-02-05T09:11:57.009411Z

Summary

[none]

Details

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

References

https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E
https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/04/27/2
https://github.com/advisories/GHSA-pfwg-rxf4-97c3

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1