Auth bypass in Apache Superset
CVE-2023-49734
An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affe…
Vulnerability class: Broken Access Control
EPSS: 0.009 (56.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N.
Affected products
- Apache Superset
- Apache Software Foundation Superset — versions 0, 3.0.0
Weakness classification (CWE)
References
- security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
- security@apache.org (Mailing List, Third Party Advisory)
Frequently asked questions
- What is CVE-2023-49734?
- CVE-2023-49734 is a high-severity vulnerability in Apache Superset, classified under Incorrect Authorization. CVSS score: 7.7/10. Published 2023-12-19.
- How severe is CVE-2023-49734?
- High severity. CVSS v3 base score is 7.7 out of 10.