CVE-2021-28125

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 1.1.0

Description: The issue allows for the creation of an external URL that could be malicious. By not checking user input for open redirects, the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

Recommendations: For versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. As a temporary workaround, consider disabling the URL shortener functionality until a patch is available. Restrict access to the URL shortener module to minimize the risk of exploitation. Avoid using the URL shortener functionality for dashboards until the issue is resolved.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

BIT-SUPERSET-2021-28125

CVE-2021-28125

GHSA-PFWG-RXF4-97C3

PYSEC-2021-128

Affected Products

Apache Superset

CVE-2021-28125

Weakness Enumeration

Related Identifiers

Affected Products

References · 14