Vulnerability Description
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Superset | < 2.1.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/11/27/2Mailing ListThird Party Advisory
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-
- https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rotMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/11/27/2Mailing ListThird Party Advisory
- https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-
- https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rotMailing ListVendor Advisory
FAQ
What is CVE-2023-40610?
CVE-2023-40610 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples sche...
How severe is CVE-2023-40610?
CVE-2023-40610 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40610?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.