PT-2023-25567 · Apache · Apache Superset
Vin01
·
Published
2023-09-06
·
Updated
2025-02-05
·
CVE-2023-36388
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions up to and including 2.1.0
Description
The issue is related to improper REST API permission in Apache Superset, allowing authenticated Gamma users to test network connections, which may lead to a possible Server-Side Request Forgery (SSRF) attack.
Recommendations
For Apache Superset versions up to and including 2.1.0, consider restricting access to the REST API until a patch is available. As a temporary workaround, limit the permissions of Gamma users to prevent them from testing network connections.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Superset