Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data.
This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.
Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
References
Configurations
No configuration.
History
28 Feb 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-28 12:15
Updated : 2024-02-28 15:15
NVD link : CVE-2024-24779
Mitre link : CVE-2024-24779
CVE.ORG link : CVE-2024-24779
JSON object : View
Products Affected
No product.
CWE
CWE-863
Incorrect Authorization