// For flags

CVE-2023-42501

Apache Superset: Unnecessary read permissions within the Gamma role

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.
This issue affects Apache Superset: before 2.1.2.
Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.

Los permisos de lectura innecesarios dentro de la función Gamma permitirían a los usuarios autenticados leer plantillas y anotaciones CSS configuradas. Este problema afecta a Apache Superset: antes de 2.1.2. Los usuarios deben actualizar a la versión 2.1.2 o superior y ejecutar `superset init` para reconstruir la función Gamma o eliminar el permiso `can_read` de los recursos mencionados.

*Credits: Miguel Segovia Gil
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-09-11 CVE Reserved
  • 2023-11-27 CVE Published
  • 2024-08-29 CVE Updated
  • 2024-10-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-276: Incorrect Default Permissions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Superset
Search vendor "Apache" for product "Superset"
< 2.1.1
Search vendor "Apache" for product "Superset" and version " < 2.1.1"
-
Affected