CVE-2024-26016

Apache Superset: Improper authorization validation on dashboards and charts import

CVSS 4.3 MEDIUMEPSS 0.9%CWE-863

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

28 feb 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

Apache Software Foundation · Apache Superset

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s http://www.openwall.com/lists/oss-security/2024/02/28/7