Main Vulnerability Database Vulnerabilities #VU71201

#VU71201 Permissions, Privileges, and Access Controls in Apache Superset - CVE-2022-41703

Published: January 17, 2023

Vulnerability identifier: #VU71201

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-41703

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Superset

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access access restrictions within the SQL Alchemy connector. A remote user with with read access to a specific database can add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value).

Remediation

Install updates from vendor's website.

External links

https://seclists.org/oss-sec/2023/q1/29

#VU71201 Permissions, Privileges, and Access Controls in Apache Superset - CVE-2022-41703

Description

Remediation

External links

Please verify you're human