CVE-2025-48912
Apache Superset: Improper authorization bypass on row level security via SQL Injection
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.1EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
30 may 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.
This issue affects Apache Superset: before 4.1.2.
Users are recommended to upgrade to version 4.1.2, which fixes the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
Apache Software Foundation · Apache Superset