CVE-2020-1932
MEDIUM6.5EPSS 0.22%Information disclosure in Apache Superset
Published: 2/26/2020Modified: 4/3/2025
Description
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
Affected packages (3)
- Bitnami/superset>= 0.34.0, < 0.34.1, >= 0.34.1, < 0.34.2, >= 0.35.0, < 0.35.1, >= 0.35.1, < 0.35.2
- PyPI/apache-superset>= 0.34.0, < 0.35.2
- PyPI/apache-supersetfrom 0, < 0.35.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://github.com/advisories/GHSA-fxjm-wvj9-9c39
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1932
- PATCHhttps://github.com/apache/superset
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-224.yaml
- WEBhttps://lists.apache.org/thread.html/r4e5323c3bc786005495311a6ff53ac6d990b2c7eb52941a1a13ce227%40%3Cdev.superset.apache.org%3E