Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN302

_____________________________________________________________________

DATE                : 13/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Superset versions prior
                                      to 4.1.1.

=====================================================================
https://lists.apache.org/thread/zcrpx2g2v20ttwz893wos8fjgxf0pjpo
_____________________________________________________________________

CVE-2025-27696: Apache Superset: Improper authorization leading to
resource ownership takeover


Affected versions:

- Apache Superset through 4.1.1


Description:

Improper Authorization vulnerability in Apache Superset allows
ownership takeover of dashboards, charts or datasets by authenticated
users with read permissions.

This issue affects Apache Superset: through 4.1.1.

Users are recommended to upgrade to version 4.1.2 or above, which
fixes the issue.


Credit:

João Marono (finder)
Daniel Gaspar (remediation developer)


References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-27696



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================