GHSA-fxjg-28fm-pfxh

Source

https://github.com/advisories/GHSA-fxjg-28fm-pfxh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-fxjg-28fm-pfxh/GHSA-fxjg-28fm-pfxh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fxjg-28fm-pfxh

Aliases

Published

2023-07-06T19:24:15Z

Modified

2025-02-13T19:51:53.244381Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Superset Server-Side Request Forgery vulnerability

Details

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

Database specific

{
    "nvd_published_at": "2023-04-17T17:15:00Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T22:10:49Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1