CVE-2023-25504

Published: Apr 17, 2023Modified: Feb 13, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

Affected (1)

Products: Apache: Superset

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Superset	Up to 2.0.1

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

http://www.openwall.com/lists/oss-security/2023/04/18/8

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx

Source: security@apache.org

Mailing List

http://www.openwall.com/lists/oss-security/2023/04/18/8

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.