Vulnerability Description
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Superset | <= 2.0.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/04/18/8Mailing ListThird Party Advisory
- https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtxMailing List
- http://www.openwall.com/lists/oss-security/2023/04/18/8Mailing ListThird Party Advisory
- https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtxMailing List
FAQ
What is CVE-2023-25504?
CVE-2023-25504 is a vulnerability with a CVSS score of 4.9 (MEDIUM). A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query in...
How severe is CVE-2023-25504?
CVE-2023-25504 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25504?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.