CVE-2024-26016

Опубликовано: 28 фев. 2024

Источник: nvd

CVSS3: 4.3

CVSS3: 5.4

EPSS Низкий

Описание

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/02/28/7
Mailing List
Third Party Advisory
https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/28/7
Mailing List
Third Party Advisory
https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия до 3.0.4 (исключая)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

Версия от 3.1.0 (включая) до 3.1.1 (исключая)

EPSS

Процентиль: 40%

0.00182

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-3v9r-885j-762g

CVSS3: 4.3

github

почти 2 года назад

Apache Superset: Improper authorization validation on dashboards and charts import

EPSS

Процентиль: 40%

0.00182

Низкий

4.3 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-863