CVE-2023-36387 MEDIUM

CVE-2023-36387: Apache Superset: Improper API permission for low privilege users

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-863 · Incorrect authorization

Published September 6, 2023

Last update September 26, 2024

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

Description

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Key dates

Disclosure timeline

September 6, 2023 CVE published

September 26, 2024 Record updated