=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2023/VULN482

_____________________________________________________________________

DATE                : 27/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Superset versions prior
                                          to 2.1.2.

=====================================================================
https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot
https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh
https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892
_____________________________________________________________________

CVE-2023-40610: Apache Superset: Privilege escalation with default
examples database


Affected versions:

- Apache Superset before 2.1.2

Description:

Improper authorization check and possible privilege escalation on
Apache Superset up to but excluding 2.1.2. Using the default
examples database connection that allows access to both the
examples schema and Apache Superset's metadata database, an
attacker using a specially crafted CTE SQL statement could change
data on the metadata database. This weakness could result on
tampering with the authentication/authorization data.


Credit:

LEXFO for Orange Innovation and Orange CERT-CC  at Orange group
(finder)


References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-40610

_____________________________________________________________________

CVE-2023-42501: Apache Superset: Unnecessary read permissions within
the Gamma role

Affected versions:

- Apache Superset before 2.1.2


Description:

Unnecessary read permissions within the Gamma role would allow
authenticated users to read configured CSS templates and annotations.
This issue affects Apache Superset: before 2.1.2.
Users should upgrade to version or above 2.1.2 and run
`superset init` to reconstruct the Gamma role or remove `can_read`
permission from the mentioned resources.


Credit:

Miguel Segovia Gil (finder)


References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-42501

_____________________________________________________________________

CVE-2023-43701: Apache Superset: Stored XSS on API endpoint
Affected versions:

- Apache Superset before 2.1.2

Description:

Improper payload validation and an improper REST API response type,
made it possible for an authenticated malicious actor to store
malicious code into Chart's metadata, this code could get executed
if a user specifically accesses a specific deprecated API endpoint.
This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this
issue.


Credit:

Nick Barnes, Praetorian Security Inc. (reporter)


References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-43701


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================