Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.
References
| Link | Resource |
|---|---|
| https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892 | Mailing List |
| https://www.openwall.com/lists/oss-security/2023/11/27/4 | Mailing List |
| https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892 | Mailing List |
| https://www.openwall.com/lists/oss-security/2023/11/27/4 | Mailing List |
Configurations
History
21 Nov 2024, 08:24
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892 - Mailing List | |
| References | () https://www.openwall.com/lists/oss-security/2023/11/27/4 - Mailing List | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
01 Dec 2023, 19:10
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| References | () https://www.openwall.com/lists/oss-security/2023/11/27/4 - Mailing List | |
| References | () https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892 - Mailing List | |
| CPE | cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:* | |
| First Time |
Apache superset
Apache |
27 Nov 2023, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
27 Nov 2023, 12:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-11-27 11:15
Updated : 2024-11-21 08:24
NVD link : CVE-2023-43701
Mitre link : CVE-2023-43701
CVE.ORG link : CVE-2023-43701
JSON object : View
Products Affected
apache
- superset
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')