CVE-2023-25504

描述

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.

受影響套件(2)

• Bitnami/supersetfrom 0, < 2.0.2
• PyPI/apache-supersetfrom 0, < 2.1.0

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25504
• PATCHhttps://github.com/apache/superset
• WEBhttps://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx
• WEBhttp://www.openwall.com/lists/oss-security/2023/04/18/8