apache-superset@0.37.2 vulnerabilities

A modern, enterprise-ready business intelligence web application

Direct Vulnerabilities

Known vulnerabilities in the apache-superset package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Information Exposure in the form of dataset metadata, including dataset name, columns, and metrics.

How to fix Information Exposure?

Upgrade apache-superset to version 1.5.1 or higher.

(,1.5.1)
  • C
SQL Injection

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to SQL Injection in chart data requests.

How to fix SQL Injection?

Upgrade apache-superset to version 1.4.2 or higher.

(,1.4.2)
  • M
Insufficiently Protected Credentials

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials which allows registered database connections password leak for authenticated users.

How to fix Insufficiently Protected Credentials?

Upgrade apache-superset to version 1.4.0 or higher.

(,1.4.0)
  • H
Improper Output Neutralization for Logs

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via HTTP endpoint which allowed for an authenticated user to forge log entries or inject malicious content into logs.

How to fix Improper Output Neutralization for Logs?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Improper Output Neutralization for Logs

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via HTTP endpoint which allowed for an authenticated user to forge log entries or inject malicious content into logs.

How to fix Improper Output Neutralization for Logs?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Insufficiently Protected Credentials

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via database connections password leak for authenticated users.

How to fix Insufficiently Protected Credentials?

Upgrade apache-superset to version 1.3.2 or higher.

(,1.3.2)
  • M
Cross-site Scripting (XSS)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-superset to version 1.2.0 or higher.

(,1.2.0)
  • M
SQL Injection

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to SQL Injection. When configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) it allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

How to fix SQL Injection?

Upgrade apache-superset to version 1.3.1 or higher.

(,1.3.1)
  • M
Open Redirect

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Open Redirect. Insufficient user input validation of open redirects, the URL shortener functionality allows a malicious user to create a short URL for a dashboard and convince the user to click the link.

How to fix Open Redirect?

Upgrade apache-superset to version 1.1.0 or higher.

(,1.1.0)
  • H
Cross-site Scripting (XSS)

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.

How to fix Cross-site Scripting (XSS)?

Upgrade apache-superset to version 0.38.1 or higher.

(,0.38.1)