GHSA-3v9r-885j-762g

Suggest an improvement
Source
https://github.com/advisories/GHSA-3v9r-885j-762g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3v9r-885j-762g/GHSA-3v9r-885j-762g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3v9r-885j-762g
Aliases
Published
2024-02-28T12:30:27Z
Modified
2025-02-13T19:28:05.844967Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset: Improper authorization validation on dashboards and charts import
Details

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Database specific
{
    "nvd_published_at": "2024-02-28T12:15:47Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-28T18:36:34Z"
}
References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.4

Affected versions

0.*

0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3

2.*

2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1
2.1.2
2.1.3

3.*

3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1
3.0.2
3.0.3

Database specific

{
    "last_known_affected_version_range": "<= 3.0.3"
}

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.1

Affected versions

3.*

3.1.0