CVE-2023-32672 MEDIUM

CVE-2023-32672: Apache Superset: SQL parser edge case bypasses data access authorization

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-863 · Incorrect authorization

Published September 6, 2023

Last update September 26, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.

Key dates

Disclosure timeline

September 6, 2023 CVE published

September 26, 2024 Record updated