apache-superset@0.34.1 vulnerabilities

A modern, enterprise-ready business intelligence web application

Direct Vulnerabilities

Known vulnerabilities in the apache-superset package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Information Exposure in the form of dataset metadata, including dataset name, columns, and metrics.

How to fix Information Exposure?

Upgrade apache-superset to version 1.5.1 or higher.

(,1.5.1)
  • C
SQL Injection

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to SQL Injection in chart data requests.

How to fix SQL Injection?

Upgrade apache-superset to version 1.4.2 or higher.

(,1.4.2)
  • M
Insufficiently Protected Credentials

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials which allows registered database connections password leak for authenticated users.

How to fix Insufficiently Protected Credentials?

Upgrade apache-superset to version 1.4.0 or higher.

(,1.4.0)
  • H
Improper Output Neutralization for Logs

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via HTTP endpoint which allowed for an authenticated user to forge log entries or inject malicious content into logs.

How to fix Improper Output Neutralization for Logs?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Improper Output Neutralization for Logs

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via HTTP endpoint which allowed for an authenticated user to forge log entries or inject malicious content into logs.

How to fix Improper Output Neutralization for Logs?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Insufficiently Protected Credentials

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via database connections password leak for authenticated users.

How to fix Insufficiently Protected Credentials?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Cross-site Scripting (XSS)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-superset to version 1.2.0 or higher.

(,1.2.0)
  • M
SQL Injection

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to SQL Injection. When configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) it allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

How to fix SQL Injection?

Upgrade apache-superset to version 1.3.1 or higher.

(,1.3.1)
  • M
Open Redirect

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Open Redirect. Insufficient user input validation of open redirects, the URL shortener functionality allows a malicious user to create a short URL for a dashboard and convince the user to click the link.

How to fix Open Redirect?

Upgrade apache-superset to version 1.1.0 or higher.

(,1.1.0)
  • H
Cross-site Scripting (XSS)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-superset to version 0.38.1 or higher.

(,0.38.1)
  • M
Cross-site Scripting (XSS)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via Markdown.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-superset to version 0.36.0 or higher.

(,0.36.0)
  • M
Insecure Defaults

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Insecure Defaults. Unrestricted metrics.

How to fix Insecure Defaults?

Upgrade apache-superset to version 0.35.1 or higher.

(,0.35.1)
  • M
Information Exposure

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Information Exposure. Authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset.

How to fix Information Exposure?

Upgrade apache-superset to version 0.37.2 or higher.

(,0.37.2)
  • H
Remote Code Execution (RCE)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). An authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s os package in the web application process. It is possible for an authenticated user to list and access files, environment variables, and process information. Additionally, it is possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the os package in Python are also available.

How to fix Remote Code Execution (RCE)?

Upgrade apache-superset to version 0.37.1 or higher.

(,0.37.1)
  • M
Information Exposure

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Information Exposure. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.

How to fix Information Exposure?

Upgrade apache-superset to version 0.35.2 or higher.

[0.34.0,0.35.2)