Vulnerabilities > Apache > Superset

DATE CVE VULNERABILITY TITLE RISK
2020-09-30 CVE-2020-13952 Unspecified vulnerability in Apache Superset
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection.
network
low complexity
apache
8.1
2020-09-17 CVE-2020-13948 Unspecified vulnerability in Apache Superset
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1.
network
low complexity
apache
8.8
2020-01-28 CVE-2020-1932 Unspecified vulnerability in Apache Superset
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1.
network
low complexity
apache
6.5
2019-12-16 CVE-2019-12414 Information Exposure vulnerability in Apache Superset
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab
network
low complexity
apache CWE-200
5.3
2019-12-16 CVE-2019-12413 Unspecified vulnerability in Apache Superset
In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query.
network
low complexity
apache
5.3
2018-11-07 CVE-2018-8021 Deserialization of Untrusted Data vulnerability in Apache Superset
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution.
network
low complexity
apache CWE-502
critical
9.8