PT-2023-14667 · Apache · Apache Superset
Sunny Alexli
·
Published
2023-01-16
·
Updated
2025-04-07
·
CVE-2022-45438
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions 1.5.2 and prior
Apache Superset version 2.0.0
Description
The system allowed an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint when the feature flag
DASHBOARD CACHE was explicitly enabled. This flag is disabled by default.Recommendations
For Apache Superset versions 1.5.2 and prior, consider disabling the
DASHBOARD CACHE feature flag until a patch is available.
For Apache Superset version 2.0.0, consider disabling the DASHBOARD CACHE feature flag until a patch is available.
As a temporary workaround, restrict access to the REST API Get endpoint to minimize the risk of exploitation.Fix
Improper Access Control
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Superset