CVE-2023-39264

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75	Mailing List
https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:15

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75 - Mailing List~~	() https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75 - Mailing List

11 Sep 2023, 14:28

Type	Values Removed	Values Added
References	~~(MISC) https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75 -~~	(MISC) https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75 - Mailing List
CPE		cpe:2.3:a:apache:superset::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Apache Apache superset

06 Sep 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-06 13:15

Updated : 2024-11-21 08:15

NVD link : CVE-2023-39264

Mitre link : CVE-2023-39264

CVE.ORG link : CVE-2023-39264

JSON object : View

Products Affected

apache

superset

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2023-39264", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-09-06T13:15:08.927", "references": [{"url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0."}, {"lang": "es", "value": "De forma predeterminada, se habilitaron los traces de memoria para errores, lo que result\u00f3 en la exposici\u00f3n de los seguimientos internos en los endpoints de la API REST para los usuarios. Esta vulnerabilidad existe en las versiones de Apache Superset hasta la versi\u00f3n 2.1.0 incluida. "}], "lastModified": "2024-11-21T08:15:00.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5C7318E-1118-457F-A2BC-8B9400AE7C3C", "versionEndIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}