How does CVE-2022-43720 affect Apache Superset?

CVE-2022-43720 affects Apache Superset version 1.5.2 and prior versions, as well as version 2.0.0 and version 2.0.0-rc1 and version 2.0.0-rc2.

What is the severity of CVE-2022-43720?

CVE-2022-43720 has a severity rating of 5.4 (medium).

How can an attacker exploit CVE-2022-43720?

An authenticated attacker with write CSS template permissions can exploit CVE-2022-43720 by creating a record with specific HTML tags that will not be properly escaped, causing a vulnerability when a user deletes that specific CSS template record.

Is there a fix available for CVE-2022-43720?

Yes, updating to Apache Superset version 2.0.0 or later will fix the vulnerability.

Vulnerability/
CVE-2022-43720

medium

5.4

CWE

16/1/2023

3/8/2024

CVE-2022-43720: Apache Superset: Improper rendering of user input

Q: What is CVE-2022-43720?

CVE-2022-43720 is a vulnerability in Apache Superset versions prior to 2.0.0 that allows an authenticated attacker with write CSS template permissions to create a record with specific HTML tags that will not be properly escaped.

First published: Mon Jan 16 2023(Updated: )

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache Superset	<=1.5.2
Apache Superset	=2.0.0
Apache Superset	=2.0.0-rc1
Apache Superset	=2.0.0-rc2

Never miss a vulnerability like this again

Reference Links

https://lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l

Frequently Asked Questions

What is CVE-2022-43720?
CVE-2022-43720 is a vulnerability in Apache Superset versions prior to 2.0.0 that allows an authenticated attacker with write CSS template permissions to create a record with specific HTML tags that will not be properly escaped.
How does CVE-2022-43720 affect Apache Superset?
CVE-2022-43720 affects Apache Superset version 1.5.2 and prior versions, as well as version 2.0.0 and version 2.0.0-rc1 and version 2.0.0-rc2.
What is the severity of CVE-2022-43720?
CVE-2022-43720 has a severity rating of 5.4 (medium).
How can an attacker exploit CVE-2022-43720?
An authenticated attacker with write CSS template permissions can exploit CVE-2022-43720 by creating a record with specific HTML tags that will not be properly escaped, causing a vulnerability when a user deletes that specific CSS template record.
Is there a fix available for CVE-2022-43720?
Yes, updating to Apache Superset version 2.0.0 or later will fix the vulnerability.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/references
agent/severity
agent/title
agent/last-modified-date
agent/weakness
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/apache
canonical/apache superset
version/apache superset/1.5.2
version/apache superset/2.0.0
version/apache superset/2.0.0-rc1
version/apache superset/2.0.0-rc2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.