CVE-2024-24779

Опубликовано: 28 фев. 2024

Источник: nvd

CVSS3: 5

CVSS3: 6.5

EPSS Низкий

Описание

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/02/28/6
Mailing List
Third Party Advisory
https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/28/6
Mailing List
Third Party Advisory
https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия до 3.0.4 (включая)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия от 3.1.0 (включая) до 3.1.1 (исключая)

EPSS

Процентиль: 39%

0.00174

Низкий

5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-wr6g-9wcr-cmqj

CVSS3: 5

github

почти 2 года назад

Apache Superset: Improper data authorization when creating a new dataset

EPSS

Процентиль: 39%

0.00174

Низкий

5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-863