Vulnerabilities > Apache > Superset > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-12-19 | CVE-2023-49736 | Unspecified vulnerability in Apache Superset A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | 8.8 |
2023-11-27 | CVE-2023-40610 | Unspecified vulnerability in Apache Superset Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. | 8.8 |
2023-01-16 | CVE-2022-43719 | Unspecified vulnerability in Apache Superset Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. | 8.8 |
2021-10-18 | CVE-2021-41971 | SQL Injection vulnerability in Apache Superset Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL. | 8.8 |
2020-09-30 | CVE-2020-13952 | Unspecified vulnerability in Apache Superset In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. | 8.1 |
2020-09-17 | CVE-2020-13948 | Unspecified vulnerability in Apache Superset While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. | 8.8 |