Vulnerability-Lookup

CVE-2023-40610 (GCVE-0-2023-40610)

Vulnerability from cvelistv5 – Published: 2023-11-27 10:22 – Updated: 2025-06-03 13:59

Title

Apache Superset: Privilege escalation with default examples database

Summary

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/11/27/2
	https://github.com/orangecertcc/security-research…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Superset	Affected: 0 , < 2.1.2 (semver)

Credits

LEXFO for Orange Innovation and Orange CERT-CC at Orange group

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:51.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40610",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T13:59:25.937531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T13:59:39.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Superset",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LEXFO for Orange Innovation and Orange CERT-CC  at Orange group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper authorization check and possible privilege escalation on Apache Superset\u0026nbsp;up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-10T16:49:59.636Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
        },
        {
          "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Superset: Privilege escalation with default examples database",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-40610",
    "datePublished": "2023-11-27T10:22:41.083Z",
    "dateReserved": "2023-08-17T12:56:13.976Z",
    "dateUpdated": "2025-06-03T13:59:39.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.1.2\", \"matchCriteriaId\": \"15732220-B366-4C92-A7D6-8C5DF4C9CA20\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper authorization check and possible privilege escalation on Apache Superset\\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Verificaci\\u00f3n de autorizaci\\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\\u00e9ndolo. Utilizando la conexi\\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\\u00f3n SQL CTE especialmente manipulada podr\\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\\u00eda resultar en la manipulaci\\u00f3n de los datos de autenticaci\\u00f3n/autorizaci\\u00f3n.\"}]",
      "id": "CVE-2023-40610",
      "lastModified": "2024-11-21T08:19:49.407",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-11-27T11:15:07.293",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40610\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-11-27T11:15:07.293\",\"lastModified\":\"2025-02-13T17:17:04.687\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\"},{\"lang\":\"es\",\"value\":\"Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.2\",\"matchCriteriaId\":\"15732220-B366-4C92-A7D6-8C5DF4C9CA20\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:38:51.121Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-40610\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-03T13:59:25.937531Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-03T13:59:34.518Z\"}}], \"cna\": {\"title\": \"Apache Superset: Privilege escalation with default examples database\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"LEXFO for Orange Innovation and Orange CERT-CC  at Orange group\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.1.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\"}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper authorization check and possible privilege escalation on Apache Superset\\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper authorization check and possible privilege escalation on Apache Superset\u0026nbsp;up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-01-10T16:49:59.636Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-40610\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-03T13:59:39.739Z\", \"dateReserved\": \"2023-08-17T12:56:13.976Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2023-11-27T10:22:41.083Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-F678-J579-4XF5

Vulnerability from github – Published: 2023-11-28 18:56 – Updated: 2024-01-10 19:17

Summary

Apache Superset - Elevation of Privilege

Details

Overview

An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.

Details

On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).

Proof of Concept

Some tables are supposed to accept only SELECT requests from the SQL tab. - Attempt to create a new user injected_admin into the ab_user table: PoC_1

But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query. INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax: WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘injected_admin@gmail.com’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a; PoC_2 - injected_admin added to the ab_user table: PoC_3

This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator. - Locating the ID of the user ‘Auditeur B’, who has no rights and is not an admin. The request is done being ‘Auditeur B’: PoC_4 - Locating the rows that keep the role of the user ‘Auditeur B’. The row 36 stores the value 3, indicating the role ‘Alpha’ for ‘Auditeur B’: PoC_5 - Modification of the row 36 with an UPDATE request embedded in a WITH request: PoC_6 - ‘Auditeur B’ role has been changed to Admin: PoC_7

This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).

Solution

Orange recommendation

To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.

Security patch

Upgrade to Superset version 2.1.2.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40610 https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Credits

LEXFO for Orange Innovation

Orange CERT-CC at Orange group

Timeline

Date reported: July 27, 2023 Date fixed: November 27, 2023

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:56:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Overview\nAn attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.\n\n### Details\nOn a more general level, diverse tables who are supposed to be only readable can be modified using the WITH \u2026 AS and RETURNING keywords.\nModification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. \"V7 - Insecure deserialization leading to remote code execution\" report vulnerability).\n\n### Proof of Concept\nSome tables are supposed to accept only SELECT requests from the SQL tab.\n- Attempt to create a new user injected_admin into the ab_user table: [PoC_1](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_1.png)\n\nBut this protection can be bypassed by using the WITH \u2026 AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.\nINSERT query accepted by the database due to the use of WITH \u2026 AS ( \u2026 RETURNING ) syntax:\n  WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, \u2018injected_admin\u2019, \u2018injected_admin\u2019, \u2018injected_admin\u2019, \u2018injected_admin@gmail.com\u2019, \u2018{PASSWORD_HASH}\u2019) RETURNING id ) SELECT * FROM a;\n  [PoC_2](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_2.png)\n  - injected_admin added to the ab_user table: [PoC_3](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_3.png)\n\nThis method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.\n- Locating the ID of the user \u2018Auditeur B\u2019, who has no rights and is not an admin. The request is done being \u2018Auditeur B\u2019: [PoC_4](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_4.png)\n- Locating the rows that keep the role of the user \u2018Auditeur B\u2019. The row 36 stores the value 3, indicating the role \u2018Alpha\u2019 for \u2018Auditeur B\u2019: [PoC_5](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_5.png)\n- Modification of the row 36 with an UPDATE request embedded in a WITH request: [PoC_6](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_6.png)\n- \u2018Auditeur B\u2019 role has been changed to Admin: [PoC_7](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_7.png)\n\nThis technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).\n\n### Solution\n#### Orange recommendation\nTo fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.\n#### Security patch\nUpgrade to Superset version 2.1.2.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-40610\nhttps://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\n\n### Credits\nLEXFO for [Orange Innovation][orange]\n\n[Orange CERT-CC][ora] at [Orange group][orange]\n\n[ora]: \u003chttps://cert.orange.com/\u003e\n[orange]: \u003chttps://www.orange.com/\u003e\n\n### Timeline\n**Date reported:** July 27, 2023\n**Date fixed:** November 27, 2023",
  "id": "GHSA-f678-j579-4xf5",
  "modified": "2024-01-10T19:17:04Z",
  "published": "2023-11-28T18:56:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/superset"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Superset - Elevation of Privilege"
}

GSD-2023-40610

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-40610

Aliases

CVE-2023-40610

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-40610",
    "id": "GSD-2023-40610"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-40610"
      ],
      "details": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n",
      "id": "GSD-2023-40610",
      "modified": "2023-12-13T01:20:43.840390Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-40610",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Superset",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "2.1.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "LEXFO for Orange Innovation and Orange CERT-CC  at Orange group"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863 Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2023/11/27/2",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "name": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5",
            "refsource": "MISC",
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "15732220-B366-4C92-A7D6-8C5DF4C9CA20",
                    "versionEndExcluding": "2.1.2",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n"
          },
          {
            "lang": "es",
            "value": "Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n."
          }
        ],
        "id": "CVE-2023-40610",
        "lastModified": "2024-01-10T17:15:08.717",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 4.0,
              "source": "security@apache.org",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-11-27T11:15:07.293",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "source": "security@apache.org",
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Vendor Advisory"
            ],
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

CNVD-2023-96660

Vulnerability from cnvd - Published: 2023-12-13

Title

Apache Superset授权问题漏洞（CNVD-2023-9666047）

Description

Apache Superset是美国阿帕奇（Apache）基金会的一个数据可视化和数据探索平台。 Apache Superset 2.1.2之前版本存在授权问题漏洞，该漏洞源于存在不正确的授权检查。攻击者可利用该漏洞导致身份验证和授权数据被篡改。

Severity

中

Patch Name

Apache Superset授权问题漏洞（CNVD-2023-9666047）的补丁

Patch Description

Apache Superset是美国阿帕奇（Apache）基金会的一个数据可视化和数据探索平台。 Apache Superset 2.1.2之前版本存在授权问题漏洞，该漏洞源于存在不正确的授权检查。攻击者可利用该漏洞导致身份验证和授权数据被篡改。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-40610

Impacted products

Name
Apache Superset <2.1.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-40610",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610"
    }
  },
  "description": "Apache Superset\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u53ef\u89c6\u5316\u548c\u6570\u636e\u63a2\u7d22\u5e73\u53f0\u3002\n\nApache Superset 2.1.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u4e0d\u6b63\u786e\u7684\u6388\u6743\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u6570\u636e\u88ab\u7be1\u6539\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-96660",
  "openTime": "2023-12-13",
  "patchDescription": "Apache Superset\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u53ef\u89c6\u5316\u548c\u6570\u636e\u63a2\u7d22\u5e73\u53f0\u3002\r\n\r\nApache Superset 2.1.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u4e0d\u6b63\u786e\u7684\u6388\u6743\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u6570\u636e\u88ab\u7be1\u6539\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Superset\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2023-9666047\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Superset \u003c2.1.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610",
  "serverity": "\u4e2d",
  "submitTime": "2023-11-30",
  "title": "Apache Superset\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2023-9666047\uff09"
}

bit-superset-2023-40610

Vulnerability from bitnami_vulndb

Published

2025-02-05 07:27

Modified

2025-05-20 10:02

Summary

Apache Superset: Privilege escalation with default examples database

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "superset",
        "purl": "pkg:bitnami/superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40610"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
  },
  "details": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.",
  "id": "BIT-superset-2023-40610",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2025-02-05T07:27:36.004Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Apache Superset: Privilege escalation with default examples database"
}

WID-SEC-W-2023-3010

Vulnerability from csaf_certbund - Published: 2023-11-26 23:00 - Updated: 2023-11-26 23:00

Summary

Apache Superset: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um seine Privilegien zu erhöhen, Informationen offenzulegen oder einen Cross Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um seine Privilegien zu erh\u00f6hen, Informationen offenzulegen oder einen Cross Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3010 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3010.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3010 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3010"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/4"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/3"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/2"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Superset: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-11-26T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:04.947+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3010",
      "initial_release_date": "2023-11-26T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-11-26T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Apache Superset \u003c 2.1.2",
            "product": {
              "name": "Apache Superset \u003c 2.1.2",
              "product_id": "T031357",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:superset:2.1.2"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-43701",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein authentisierter Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-43701"
    },
    {
      "cve": "CVE-2023-42501",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Superset. Innerhalb der Gammarolle werden nicht notwendige Leseberechtigungen gesetzt. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um konfigurierte CSS-Vorlagen und Anmerkungen zu lesen."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-42501"
    },
    {
      "cve": "CVE-2023-40610",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Superset. Aufgrund einer unsachgem\u00e4\u00dfen Berechtigungspr\u00fcfung bei der Verwendung der Standard-Beispiele-Datenbankverbindung, die den Zugriff sowohl auf das Beispiele-Schema als auch auf die Metadaten-Datenbank erm\u00f6glicht, kann ein Angreifer mit einer speziell gestalteten CTE-SQL-Anweisung Daten in der Metadaten-Datenbank \u00e4ndern. In der Folge kann er Authentifizierungs-/Autorisierungsdaten manipulieren und so seine Privilegien erweitern."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-40610"
    }
  ]
}

FKIE_CVE-2023-40610

Vulnerability from fkie_nvd - Published: 2023-11-27 11:15 - Updated: 2025-02-13 17:17

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
security@apache.org	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
security@apache.org	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	superset	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15732220-B366-4C92-A7D6-8C5DF4C9CA20",
              "versionEndExcluding": "2.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data."
    },
    {
      "lang": "es",
      "value": "Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n."
    }
  ],
  "id": "CVE-2023-40610",
  "lastModified": "2025-02-13T17:17:04.687",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "security@apache.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-27T11:15:07.293",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    },
    {
      "source": "security@apache.org",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-40610 (GCVE-0-2023-40610)

GHSA-F678-J579-4XF5

Overview

Details

Proof of Concept

Solution

Orange recommendation

Security patch

References

Credits

Timeline

GSD-2023-40610

CNVD-2023-96660

bit-superset-2023-40610

Vulnerability from bitnami_vulndb

WID-SEC-W-2023-3010

FKIE_CVE-2023-40610

Tags

Sightings

Nomenclature