Apache Superset <=2.1.0 Improper REST API Permission for Gamma Users
CVE-2023-36387 Published on September 6, 2023

Apache Superset: Improper API permission for low privilege users
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-36387 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2023-36387 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2023-36387

Want to know whenever a new CVE is published for Apache Superset? stack.watch will email you.

Apache Superset
 

Affected Versions

Apache Software Foundation Apache Superset:

Exploit Probability

EPSS
0.02%
Percentile
5.40%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.