Information disclosure in Apache Superset

#VU85978 Information disclosure in Apache Superset

Published: 2024-01-31

Vulnerability identifier: #VU85978

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42505

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Superset
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information, such as connection's username.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Superset: 2.0.0 - 2.1.3

External links
http://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y
http://www.openwall.com/lists/oss-security/2023/11/28/5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Two vulnerabilities in Apache Superset