PT-2024-9970 · Apache · Apache Superset
Hugh Miles
+1
·
Published
2024-12-09
·
Updated
2025-02-12
·
CVE-2024-53949
CVSS v4.0
7.6
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Apache Superset versions 2.0.0 through 4.1.0
Description:
The issue is related to an improper authorization procedure in the FAB ADD SECURITY API component of Apache Superset, allowing lower privilege users to use this API. This can potentially enable a remote attacker to elevate their privileges. The issue affects Apache Superset versions prior to 4.1.0.
Recommendations:
For Apache Superset versions 2.0.0 through 4.0.0, upgrade to version 4.1.0, which fixes the issue.
For Apache Superset versions prior to 2.0.0, there is no information about a newer version that contains a fix for this vulnerability.
As a temporary workaround, consider disabling the FAB ADD SECURITY API component until a patch is available.
Improper Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Superset