Описание
Apache Superset data query improperly discloses database schema information to low-privileged guest user
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.
This issue affects Apache Superset: before 4.1.3.
Users are recommended to upgrade to version 4.1.3, which fixes the issue.
Пакеты
apache-superset
< 4.1.3.post1
4.1.3.post1
Связанные уязвимости
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue.
Уязвимость программного обеспечения визуализации данных Apache Superset, связанная с отсутствием защиты служебных данных в конечной точке/chart/data, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации