CVE-2023-39265

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:15

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html -
References () https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy - Vendor Advisory () https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy - Vendor Advisory
CVSS v2 : unknown
v3 : 6.5
v2 : unknown
v3 : 3.8

13 Oct 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html -

12 Sep 2023, 15:09

Type Values Removed Values Added
First Time Apache
Apache superset
References (MISC) https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy - (MISC) https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

06 Sep 2023, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-06 14:15

Updated : 2024-11-21 08:15


NVD link : CVE-2023-39265

Mitre link : CVE-2023-39265

CVE.ORG link : CVE-2023-39265


JSON object : View

Products Affected

apache

  • superset
CWE
CWE-20

Improper Input Validation