A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery
attacks and query internal resources on behalf of the server where Superset
is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/04/18/8 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx | Mailing List |
http://www.openwall.com/lists/oss-security/2023/04/18/8 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx | Mailing List |
Configurations
History
21 Nov 2024, 07:49
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.9 |
References | () http://www.openwall.com/lists/oss-security/2023/04/18/8 - Mailing List, Third Party Advisory | |
References | () https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx - Mailing List |
Information
Published : 2023-04-17 17:15
Updated : 2024-11-21 07:49
NVD link : CVE-2023-25504
Mitre link : CVE-2023-25504
CVE.ORG link : CVE-2023-25504
JSON object : View
Products Affected
apache
- superset
CWE
CWE-918
Server-Side Request Forgery (SSRF)