Improper Authorization Affecting apache-superset package, versions [,4.1.0rc2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-APACHESUPERSET-8501337
  • published13 Dec 2024
  • disclosed12 Dec 2024
  • creditJames Ford

Introduced: 12 Dec 2024

NewCVE-2024-55633  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade apache-superset to version 4.1.0rc2 or higher.

Overview

apache-superset is a modern, enterprise-ready business intelligence web application.

Affected versions of this package are vulnerable to Improper Authorization through the SQLLab component. An attacker can execute unauthorized write operations by crafting a specially designed SQL DML statement that is incorrectly identified as a read-only query.

Note:

This is only exploitable if the database connection is not set with a readonly user.

CVSS Scores

version 4.0
version 3.1