CVE-2023-42504 MEDIUM

CVE-2023-42504: Apache Superset: Lack of rate limiting allows for possible denial of service

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-770 · Uncontrolled resource consumption

Published November 28, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

Description

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service. This issue affects Apache Superset: before 3.0.0

Key dates

Disclosure timeline

November 28, 2023 CVE published

February 13, 2025 Record updated