Virtual Datasets Lead to Unauthorized Data Access in Apache Superset
CVE-2024-24779

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Superset
Vendor: CVE Published:; 28 February 2024

What is CVE-2024-24779?

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Superset 0 < 3.0.4

Apache Superset 3.1.0 < 3.1.1

References

https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/28/6

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2024
Vulnerability Reserved
Jan 30, 2024

Credit

Daniel Pedro Vaz Gaspar

@DLT1412

JSON

Apache