CVE-2023-36387

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:P

Name of the Vulnerable Software and Affected Versions Apache Superset versions up to and including 2.1.0

Description The issue is related to an improper default REST API permission for Gamma users in Apache Superset, which is connected to shortcomings in the authorization mechanism. This allows an authenticated Gamma user to test database connections.

Recommendations For Apache Superset versions up to and including 2.1.0, consider restricting the REST API permissions for Gamma users to prevent them from testing database connections until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Preservation of Permissions

SSRF

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-281CWE-918CWE-863

Related Identifiers

BDU:2023-07917

BIT-SUPERSET-2023-36387

CVE-2023-36387

GHSA-9832-MGG4-3GR6

Affected Products

Apache Superset

CVE-2023-36387

Weakness Enumeration

Related Identifiers

Affected Products

References · 11