PT-2024-21816 · Apache · Apache Superset
Anastasios Stasinopoulos
·
Published
2024-02-28
·
Updated
2025-02-05
·
CVE-2024-27315
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions prior to 3.0.4
Apache Superset versions 3.1.0 through 3.1.1
Description
An authenticated user with privileges to create alerts on Alerts & Reports can generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert, exposing possibly sensitive data.
Recommendations
For Apache Superset versions prior to 3.0.4, upgrade to version 3.0.4, which fixes the issue.
For Apache Superset versions 3.1.0 through 3.1.1, upgrade to version 3.1.1, which fixes the issue.
Fix
Generation of Error Message Containing Sensitive Information
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Superset