====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN414
_____________________________________________________________________

DATE                : 17/12/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Incubator Superset versions
                                         prior to 0.32.

=====================================================================
http://mail-archives.apache.org/mod_mbox/superset-dev/201912.mbox/%3cCALSkbjoeqqUHMZgEzeELb_zhzwwBBcFofTNYLaVHz_zYMc42_Q@mail.gmail.com%3e
http://mail-archives.apache.org/mod_mbox/superset-dev/201912.mbox/%3cCALSkbjqVP3ZGk4T5oyNQEGhNGD82RohwAC44mN35V1riCWMkMQ@mail.gmail.com%3e
_____________________________________________________________________

Severity: Low

Vendor:
The Apache Software Foundation

Product:
Apache Incubator Superset

Versions Affected:
Superset < 0.32

Description:
A user can view database names that he has no access to on a dropdown
list in SQLLab

Mitigation:
Superset users with version prior to 0.32 should upgrade to 0.32 or
higher

_____________________________________________________________________

Severity: Low

Vendor:
The Apache Software Foundation

Product:
Apache Incubator Superset

Versions Affected:
Superset < 0.31

Description:
A user could query database metadata information from a database he has
no access to, by using a specially crafted complex query.

Mitigation:
Superset users with version prior to 0.31 should upgrade to 0.31 or
higher

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================