CVE-2023-30776 MEDIUM

CVE-2023-30776: Apache Superset: Database connection password leak

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-522 · Insufficiently protected credentials

Published April 24, 2023

Last update October 21, 2024

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.

Key dates

Disclosure timeline

April 24, 2023 CVE published

October 21, 2024 Record updated

Identifiers

CVE CVE-2023-30776

CWE CWE-522

CVSS 4.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 1.3.0 and ≤ 2.0.1