CVE-2023-25504

Опубликовано: 17 апр. 2023

Источник: nvd

CVSS3: 4.9

CVSS3: 6.5

EPSS Низкий

Описание

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

Ссылки

http://www.openwall.com/lists/oss-security/2023/04/18/8
Mailing List
Third Party Advisory
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx
Mailing List
http://www.openwall.com/lists/oss-security/2023/04/18/8
Mailing List
Third Party Advisory
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия до 2.0.1 (включая)

EPSS

Процентиль: 11%

0.00039

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-918

Связанные уязвимости

GHSA-fxjg-28fm-pfxh

CVSS3: 6.5

github

больше 2 лет назад

Apache Superset Server-Side Request Forgery vulnerability

EPSS

Процентиль: 11%

0.00039

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-918