Apache Superset
By the Year
In 2023 there have been 7 vulnerabilities in Apache Superset with an average score of 5.9 out of ten. Last year Superset had 3 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2023 as compared to last year. Last year, the average CVE base score was greater by 1.00
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 7 | 5.87 |
2022 | 3 | 6.87 |
2021 | 6 | 6.45 |
2020 | 3 | 7.80 |
2019 | 0 | 0.00 |
2018 | 1 | 9.80 |
It may take a day or so for new Superset vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Superset Security Vulnerabilities
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database
CVE-2022-41703
5.4 - Medium
- January 16, 2023
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
SQL Injection
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors
CVE-2022-43717
5.4 - Medium
- January 16, 2023
Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
XSS
Upload data forms do not correctly render user input leading to possible XSS attack vectors
CVE-2022-43718
5.4 - Medium
- January 16, 2023
Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
XSS
Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery
CVE-2022-43719
8.8 - High
- January 16, 2023
Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
Session Riding
An authenticated attacker with write CSS template permissions can create a record with specific HTML tags
CVE-2022-43720
5.4 - Medium
- January 16, 2023
An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on
CVE-2022-43721
5.4 - Medium
- January 16, 2023
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
Open Redirect
When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system
CVE-2022-45438
5.3 - Medium
- January 16, 2023
When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
Exposure of Resource to Wrong Sphere
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on
CVE-2021-37839
4.3 - Medium
- July 06, 2022
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.
Improper Check for Dropped Privileges
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests
CVE-2022-27479
9.8 - Critical
- April 13, 2022
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
SQL Injection
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users
CVE-2021-44451
6.5 - Medium
- February 01, 2022
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.
Insufficiently Protected Credentials
Improper output neutralization for Logs
CVE-2021-42250
6.5 - Medium
- November 17, 2021
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.
Output Sanitization
Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users
CVE-2021-41972
6.5 - Medium
- November 12, 2021
Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page
CVE-2021-32609
5.4 - Medium
- October 18, 2021
Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page.
XSS
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default)
CVE-2021-41971
8.8 - High
- October 18, 2021
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
SQL Injection
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious
CVE-2021-28125
6.1 - Medium
- April 27, 2021
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
Open Redirect
Apache Superset up to and including 0.38.0
CVE-2021-27907
5.4 - Medium
- March 05, 2021
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a div section and embedding in it a svg element with javascript code.
XSS
In the course of work on the open source project it was discovered
CVE-2020-13952
8.1 - High
- September 30, 2020
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.
While investigating a bug report on Apache Superset, it was determined
CVE-2020-13948
8.8 - High
- September 17, 2020
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Pythons `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE.
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1
CVE-2020-1932
6.5 - Medium
- January 28, 2020
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
Information Disclosure
Versions of Superset prior to 0.23 used an unsafe load method
CVE-2018-8021
9.8 - Critical
- November 07, 2018
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Marshaling, Unmarshaling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Superset or by Apache? Click the Watch button to subscribe.
