PT-2024-21816 · Apache · Apache Superset

Anastasios Stasinopoulos

Published

2024-02-28

Updated

2025-02-05

CVE-2024-27315

Report an issue

CVSS v4.0

5.3

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions:

Apache Superset versions prior to 3.0.4

Apache Superset versions 3.1.0 through 3.1.1

Description:

An authenticated user with privileges to create alerts on Alerts & Reports can generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert, exposing possibly sensitive data.

Recommendations:

For Apache Superset versions prior to 3.0.4, upgrade to version 3.0.4, which fixes the issue.

For Apache Superset versions 3.1.0 through 3.1.1, upgrade to version 3.1.1, which fixes the issue.

Fix

Information Disclosure

Generation of Error Message Containing Sensitive Information

Weakness Enumeration

CWE-200CWE-209

Related Identifiers

BIT-SUPERSET-2024-27315

CVE-2024-27315

GHSA-H7R6-8QMM-HJ5R

Affected Products

Apache Superset

PT-2024-21816 · Apache · Apache Superset

Weakness Enumeration

Related Identifiers

Affected Products

References · 15