CVE-2024-53949 HIGH

CVE-2024-53949: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-863 · Incorrect authorization

Published December 9, 2024

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Key dates

Disclosure timeline

December 9, 2024 CVE published

February 12, 2025 Record updated

Identifiers

CVE CVE-2024-53949

CWE CWE-863

CVSS 7.6 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 2.0.0 and < 4.1.0