PT-2023-20117 · Apache · Apache Superset

Alexey Sabadash

Publicado

2023-04-17

Atualizado

2025-02-05

CVE-2023-25504

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Superset versions up to and including 2.0.1

Description A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed.

Recommendations For Apache Superset versions up to and including 2.0.1, consider disabling the import dataset feature as a temporary workaround until a patch is available. Restrict access to internal resources to minimize the risk of exploitation.

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-918

Identificadores relacionados

BIT-SUPERSET-2023-25504

CVE-2023-25504

GHSA-FXJG-28FM-PFXH

Produtos afetados

Apache Superset

PT-2023-20117 · Apache · Apache Superset

CVE-2023-25504

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9