Page 4 of 35 results (0.001 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF. El permiso incorrecto de la API REST en Apache Superset hasta la versión 2.1.0 incluida permite que los usuarios de Gamma autenticados prueben las conexiones de red, dando lugar a un posible Server-Side Request Forgery (SSRF). • https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. Un usuario no autenticado como administrador podría crear recursos incorrectamente utilizando la función de importación de gráficos, en Apache Superset hasta la versión 2.1.0 incluida. • https://lists.apache.org/thread/ndww89yl2jd98lvn23n9cj722lfdg8dv • CWE-863: Incorrect Authorization •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections. Un permiso de API REST predeterminado incorrecto para los usuarios de Gamma en Apache Superset hasta la versión 2.1.0 incluida permite que un usuario de Gamma autenticado pruebe las conexiones de la base de datos. • https://github.com/apache/superset/pull/24185 https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3 • CWE-863: Incorrect Authorization •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. • http://www.openwall.com/lists/oss-security/2023/04/24/3 https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz • CWE-522: Insufficiently Protected Credentials •

CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 12

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable. Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. • https://www.exploit-db.com/exploits/51447 https://github.com/horizon3ai/CVE-2023-27524 https://github.com/MaanVader/CVE-2023-27524-POC https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE https://github.com/ThatNotEasy/CVE-2023-27524 https://github.com/antx-code/CVE-2023-27524 https://github.com/TardC/CVE-2023-27524 https://github.com/necroteddy/CVE-2023-27524 https://github.com/NguyenCongHaiNam/Research-CVE-2023-27524 https://github.com/Cappricio • CWE-1188: Initialization of a Resource with an Insecure Default •