A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery
attacks and query internal resources on behalf of the server where Superset
is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/04/18/8 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx | Mailing List |
Configurations
History
No history.
Information
Published : 2023-04-17 17:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-25504
Mitre link : CVE-2023-25504
CVE.ORG link : CVE-2023-25504
JSON object : View
Products Affected
apache
- superset
CWE
CWE-918
Server-Side Request Forgery (SSRF)