GHSA-fgpw-4w69-j256

Suggest an improvement
Source
https://github.com/advisories/GHSA-fgpw-4w69-j256
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fgpw-4w69-j256/GHSA-fgpw-4w69-j256.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fgpw-4w69-j256
Aliases
Published
2023-11-28T18:30:23Z
Modified
2023-11-29T04:41:34.061795Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Details

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username.

This issue affects Apache Superset before 3.0.0.

Database specific
{
    "nvd_published_at": "2023-11-28T17:15:08Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T23:29:04Z"
}
References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0

Affected versions

0.*

0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3

2.*

2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1
2.1.2

3.*

3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4