A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery
attacks and query internal resources on behalf of the server where Superset
is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/04/18/8 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx | Mailing List |
Configurations
History
27 Apr 2023, 14:08
Type | Values Removed | Values Added |
---|---|---|
First Time |
Apache superset
Apache |
|
CPE | cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | (MISC) https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx - Mailing List | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/04/18/8 - Mailing List, Third Party Advisory |
18 Apr 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Apr 2023, 17:33
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-17 17:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-25504
Mitre link : CVE-2023-25504
CVE.ORG link : CVE-2023-25504
JSON object : View
Products Affected
apache
- superset
CWE
CWE-918
Server-Side Request Forgery (SSRF)