CVE-2023-42502

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-42502

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-42502.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-42502

Aliases

Published

2023-11-28T17:15:07Z

Modified

2025-02-05T09:12:06.544354Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

References

https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn

Affected packages

Git / github.com/apache/superset

Affected ranges

Type: GIT
Repo: https://github.com/apache/superset
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

40d9c4c81fff257ddb6c52f3be9a4794903f4d0f