Vulnerabilities > Apache > Superset > High

DATE CVE VULNERABILITY TITLE RISK
2023-12-19 CVE-2023-49736 Unspecified vulnerability in Apache Superset
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
network
low complexity
apache
8.8
2023-11-27 CVE-2023-40610 Unspecified vulnerability in Apache Superset
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2.
network
low complexity
apache
8.8
2023-01-16 CVE-2022-43719 Unspecified vulnerability in Apache Superset
Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery.
network
low complexity
apache
8.8
2021-10-18 CVE-2021-41971 SQL Injection vulnerability in Apache Superset
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
network
low complexity
apache CWE-89
8.8
2020-09-30 CVE-2020-13952 Unspecified vulnerability in Apache Superset
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection.
network
low complexity
apache
8.1
2020-09-17 CVE-2020-13948 Unspecified vulnerability in Apache Superset
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1.
network
low complexity
apache
8.8