CVE-2023-42502 MEDIUM

CVE-2023-42502: Apache Superset: Open Redirect Vulnerability

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-601 · Open redirect

Published November 28, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

Key dates

Disclosure timeline

November 28, 2023 CVE published

August 2, 2024 Record updated