CVE-2023-42501 (GCVE-0-2023-42501)

Vulnerability from cvelistv5 – Published: 2023-11-27 10:23 – Updated: 2025-06-05 14:08
VLAI?
Title
Apache Superset: Unnecessary read permissions within the Gamma role
Summary
Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache Superset Affected: 0 , < 2.1.2 (semver)
Create a notification for this product.
Credits
Miguel Segovia Gil
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:39.502Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache_software_foundation:apache_superset:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "apache_superset",
            "vendor": "apache_software_foundation",
            "versions": [
              {
                "lessThan": "2.12",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42501",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-29T19:01:45.929047Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-05T14:08:25.751Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Superset",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Miguel Segovia Gil"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\u003cbr\u003eThis issue affects Apache Superset: before 2.1.2.\u003cbr\u003eUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276 Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-27T10:25:07.167Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Superset: Unnecessary read permissions within the Gamma role",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-42501",
    "datePublished": "2023-11-27T10:23:47.721Z",
    "dateReserved": "2023-09-11T09:03:06.448Z",
    "dateUpdated": "2025-06-05T14:08:25.751Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.1.1\", \"matchCriteriaId\": \"70A1ED21-6FFF-43FF-8F10-B3C97E01A2DA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\\nThis issue affects Apache Superset: before 2.1.2.\\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Los permisos de lectura innecesarios dentro de la funci\\u00f3n Gamma permitir\\u00edan a los usuarios autenticados leer plantillas y anotaciones CSS configuradas. Este problema afecta a Apache Superset: antes de 2.1.2. Los usuarios deben actualizar a la versi\\u00f3n 2.1.2 o superior y ejecutar `superset init` para reconstruir la funci\\u00f3n Gamma o eliminar el permiso `can_read` de los recursos mencionados.\"}]",
      "id": "CVE-2023-42501",
      "lastModified": "2024-11-21T08:22:40.780",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2023-11-27T11:15:07.743",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/3\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-276\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-42501\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-11-27T11:15:07.743\",\"lastModified\":\"2025-02-13T17:17:08.593\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\\nThis issue affects Apache Superset: before 2.1.2.\\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\"},{\"lang\":\"es\",\"value\":\"Los permisos de lectura innecesarios dentro de la funci\u00f3n Gamma permitir\u00edan a los usuarios autenticados leer plantillas y anotaciones CSS configuradas. Este problema afecta a Apache Superset: antes de 2.1.2. Los usuarios deben actualizar a la versi\u00f3n 2.1.2 o superior y ejecutar `superset init` para reconstruir la funci\u00f3n Gamma o eliminar el permiso `can_read` de los recursos mencionados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.1\",\"matchCriteriaId\":\"70A1ED21-6FFF-43FF-8F10-B3C97E01A2DA\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/3\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/3\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:23:39.502Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-42501\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-29T19:01:45.929047Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache_software_foundation:apache_superset:*:*:*:*:*:*:*:*\"], \"vendor\": \"apache_software_foundation\", \"product\": \"apache_superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.12\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T19:05:42.680Z\"}}], \"cna\": {\"title\": \"Apache Superset: Unnecessary read permissions within the Gamma role\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Miguel Segovia Gil\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.1.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/3\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\\nThis issue affects Apache Superset: before 2.1.2.\\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\u003cbr\u003eThis issue affects Apache Superset: before 2.1.2.\u003cbr\u003eUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-276\", \"description\": \"CWE-276 Incorrect Default Permissions\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-11-27T10:25:07.167Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-42501\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-05T14:08:25.751Z\", \"dateReserved\": \"2023-09-11T09:03:06.448Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2023-11-27T10:23:47.721Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.