CVE-2023-36387

MEDIUM5.4EPSS 0.02%

Apache Superset has improper default REST API permission for Gamma users

Published: 9/6/2023Modified: 2/5/2025

Also known as:GHSA-9832-mgg4-3gr6BIT-superset-2023-36387

Description

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Affected packages (2)

Bitnami/supersetfrom 0, < 2.1.1
PyPI/apache-supersetfrom 0, <= 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-36387
PATCHhttps://github.com/apache/superset
WEBhttps://github.com/apache/superset/pull/24185
WEBhttps://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3