A vulnerability, which was classified as problematic, has been found in Apache Superset up to 0.37.1. Affected by this issue is an unknown function of the component Database Connection. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users&acirc;&euro;&trade; password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.

The weakness was disclosed 09/30/2020 (Website). The advisory is shared for download at lists.apache.org. This vulnerability is handled as CVE-2020-13952 since 06/08/2020. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 0.37.2 eliminates this vulnerability.

Productinfo

Vendor

• Apache

Name

• Superset

Version

• 0.37.0
• 0.37.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion