Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25504

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

Published

2023-04-17T17:15:07.353

Last Modified

2025-02-13T17:16:09.373

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-918
Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	superset	≤ 2.0.1	Yes

References

http://www.openwall.com/lists/oss-security/2023/04/18/8 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2023/04/18/8 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx Mailing List (af854a3a-2127-422b-91ae-364da2661108)