CVE-2022-45438

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*

History

21 Nov 2024, 07:29

Type Values Removed Values Added
References () https://lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9 - Mailing List, Vendor Advisory () https://lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9 - Mailing List, Vendor Advisory
Summary
  • (es) Al habilitar explícitamente la marca de función DASHBOARD_CACHE (deshabilitada de forma predeterminada), el sistema permitía que un usuario no autenticado accediera a los metadatos de configuración del panel mediante un endpoint de obtención de API REST. Este problema afecta a Apache Superset versión 1.5.2 y versiones anteriores y a la versión 2.0.0.

Information

Published : 2023-01-16 11:15

Updated : 2025-04-07 15:15


NVD link : CVE-2022-45438

Mitre link : CVE-2022-45438

CVE.ORG link : CVE-2022-45438


JSON object : View

Products Affected

apache

  • superset
CWE
CWE-668

Exposure of Resource to Wrong Sphere