CVE-2024-27315
Apache Superset: Improper error handling on alerts
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
*Credits:
Anastasios Stasinopoulos - OBRELA LABS, Beto de Almeida
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-02-23 CVE Reserved
- 2024-02-28 CVE Published
- 2024-10-03 CVE Updated
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/02/28/3 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z | 2024-02-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Superset Search vendor "Apache Software Foundation" for product "Apache Superset" | < 3.0.4 Search vendor "Apache Software Foundation" for product "Apache Superset" and version " < 3.0.4" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Superset Search vendor "Apache Software Foundation" for product "Apache Superset" | >= 3.1.0 < 3.1.1 Search vendor "Apache Software Foundation" for product "Apache Superset" and version " >= 3.1.0 < 3.1.1" | en |
Affected
| ||||||