Virtual Datasets Lead to Unauthorized Data Access in Apache Superset
CVE-2024-24779

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Superset
Vendor: CVE Published:; 28 February 2024

Summary

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected Version(s)

Apache Superset 0 < 3.0.4

Apache Superset 3.1.0 < 3.1.1

References

https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/28/6

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2024
Vulnerability Reserved
Jan 30, 2024

Credit

Daniel Pedro Vaz Gaspar

@DLT1412