PT-2023-20117 · Apache · Apache Superset
Alexey Sabadash
·
Published
2023-04-17
·
Updated
2025-02-05
·
CVE-2023-25504
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions up to and including 2.0.1
Description
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed.
Recommendations
For Apache Superset versions up to and including 2.0.1, consider disabling the import dataset feature as a temporary workaround until a patch is available. Restrict access to internal resources to minimize the risk of exploitation.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Superset