Main Vulnerability Database SB20200930104

SB20200930104 - Information disclosure in Apache Superset

Published: September 30, 2020

Security Bulletin ID SB20200930104

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2020-13952)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application due to improper input validation within the Hive and Presto database engines. A remote user send a specially crafted request to the application and reveal database structure.

Remediation

Install update from vendor's website.

References

https://seclists.org/oss-sec/2020/q3/203