#VU85971 Improper access control in Apache Superset - CVE-2023-39265
Published: January 31, 2024
Vulnerability identifier: #VU85971
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-39265
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Superset
Apache Superset
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when using alternative driver names or database imports. A remote user can bypass implemented security restrictions and gain unauthorized access to the application, or create files on on Superset webservers. This can result in remote code execution.
Remediation
Install updates from vendor's website.