CVE-2022-41703

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-41703

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41703.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-41703

Aliases

Published

2023-01-16T11:15:10Z

Modified

2025-04-08T21:15:44Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOWADHOCSUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

References

https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos

Affected packages

Git / github.com/apache/superset

Affected ranges

Type: GIT
Repo: https://github.com/apache/superset
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

067495d954ee0015d35c1437245feb66984e4c49

Last affected

0c05300ce51b721e88870565833f72a3337cc300

Last affected

edbbf886af53009676a1fae32fc024efa2d68534