CVE-2023-36388

Published: Sep 6, 2023Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.

Affected (1)

Products: Apache: Superset

Apache

1 product

Superset

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Superset	Up to 2.1.0

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs

Source: security@apache.org

Mailing List

https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.