Homepage

apache-superset@4.1.4rc1 vulnerabilities

A modern, enterprise-ready business intelligence web application

  • latest version

    5.0.0

  • latest non vulnerable version

    6.0.0rc1

  • first published

    5 years ago

  • latest version published

    2 months ago

  • licenses detected

  • View apache-superset package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the apache-superset package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    SQL Injection

    apache-superset is a modern, enterprise-ready business intelligence web application.

    Affected versions of this package are vulnerable to SQL Injection via the DISALLOWED_SQL_FUNCTIONS parameter, which allows execution of blocked SQL functions. An attacker can access sensitive database information by using a specially crafted inline block to execute SQL functions that were intended to be blocked.

    How to fix SQL Injection?

    Upgrade apache-superset to version 6.0.0rc1 or higher.

    [,6.0.0rc1)
    • M
    Missing Authorization

    apache-superset is a modern, enterprise-ready business intelligence web application.

    Affected versions of this package are vulnerable to Missing Authorization via the /explore endpoint due to a missing authorization check. An attacker can obtain sensitive metadata about datasources by iterating through the datasource_id parameter in the URL and confirming the existence and names of protected datasources.

    How to fix Missing Authorization?

    Upgrade apache-superset to version 5.0.0 or higher.

    [,5.0.0)
    Go back to all versions of this package