CVE-2020-13952

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 0.37.2

Description The issue allows authenticated users running queries against Hive and Presto database engines to access sensitive information, including the contents of query description metadata database, hashed user passwords, and connection information such as plaintext passwords. Additionally, it enables users to run arbitrary methods on the database connection object, bypassing internal security controls.

Recommendations For versions prior to 0.37.2, update to version 0.37.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the templated fields and limiting the ability to run arbitrary methods on the database connection object until a patch is applied. Restrict access to sensitive information such as query description metadata and connection details to minimize the risk of exploitation.