CVE-2023-43701

Опубликовано: 27 нояб. 2023

Источник: nvd

CVSS3: 4.3

CVSS3: 5.4

EPSS Низкий

Описание

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Ссылки

https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892
Mailing List
https://www.openwall.com/lists/oss-security/2023/11/27/4
Mailing List
https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892
Mailing List
https://www.openwall.com/lists/oss-security/2023/11/27/4
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия до 2.1.2 (исключая)

EPSS

Процентиль: 41%

0.00188

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-wq8q-99p5-xfrw

CVSS3: 4.3

github

около 2 лет назад

Apache Superset Cross-site Scripting vulnerability

EPSS

Процентиль: 41%

0.00188

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79