CVE-2024-24773

Опубликовано: 28 фев. 2024

Источник: nvd

CVSS3: 4.9

CVSS3: 6.5

EPSS Низкий

Описание

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/02/28/4
Mailing List
Third Party Advisory
https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/28/4
Mailing List
Third Party Advisory
https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия до 3.0.4 (исключая)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия от 3.1.0 (включая) до 3.1.1 (исключая)

EPSS

Процентиль: 35%

0.00144

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-5474-f7g5-273q

CVSS3: 4.9

github

почти 2 года назад

Apache Superset: Improper validation of SQL statements allows for unauthorized access to data

EPSS

Процентиль: 35%

0.00144

Низкий

4.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863