CVE-2023-49734 HIGH

CVE-2023-49734: Apache Superset: Privilege Escalation Vulnerability

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-863 · Incorrect authorization

Published December 19, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

Description

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.

Key dates

Disclosure timeline

December 19, 2023 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2023-49734

CWE CWE-863

CVSS 7.7 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected < 2.1.2

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 3.0.0 and < 3.0.2