#VU85982 Permissions, Privileges, and Access Controls in Apache Superset - CVE-2023-49734

Cybersecurity Help s.r.o.

Published: 2024-01-31

Vulnerability identifier: #VU85982

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-49734

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Superset
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to application does not properly impose security restrictions on created dashboard. A remote Gamma user can gain write permissions to charts that belong to other users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Superset: 2.0.0 - 2.1.2, 3.0.0 - 3.0.1

External links
https://lists.apache.org/thread/985h6ltvtbvdoysso780kkj7x744cds5
https://www.openwall.com/lists/oss-security/2023/12/19/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Superset