Authenticated User Can Access Metadata for Unauthorized Datasource via Targeted REST API Request
CVE-2024-28148
4.3MEDIUM
Summary
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2.
Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.
Affected Version(s)
Apache Superset 0 < 3.1.2
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Daniel Pedro Vaz Gaspar
Krishna Nadh