CVE-2023-25504: Apache Superset: Possible SSRF on import datasets
First published: Mon Apr 17 2023(Updated: )
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Superset | <=2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-25504.
What is the severity of CVE-2023-25504?
The severity of CVE-2023-25504 is medium with a CVSS score of 6.5.
What is the affected software?
The affected software is Apache Superset version up to and inclusive of 2.0.1.
What is the impact of this vulnerability?
This vulnerability allows a malicious actor with authenticated access and specific permissions in Apache Superset to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server.
Are there any references or additional information available?
Yes, you can find additional information on this vulnerability at the following references: [Reference 1](http://www.openwall.com/lists/oss-security/2023/04/18/8) and [Reference 2](https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/title
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/apache
- canonical/apache superset
- version/apache superset/2.0.1