Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN517
_____________________________________________________________________

DATE                : 14/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Superset versions prior
                                 to 4.1.3, 5.0.0.

=====================================================================
https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
_____________________________________________________________________

CVE-2025-55675: Apache Superset: Incorrect datasource authorization
on REST API

Severity: 

Affected versions:

- Apache Superset before 5.0.0


Description:

Apache Superset contains an improper access control vulnerability in
its /explore endpoint. A missing authorization check allows an
authenticated user to discover metadata about datasources they do
not have permission to access. By iterating through the datasource_id
in the URL, an attacker can enumerate and confirm the existence and
names of protected datasources, leading to sensitive information
disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the
issue.


Credit:

Daniel Höxtermann / hxtmdev (remediation developer)
Pedro Sousa (coordinator)


References:

https://www.cve.org/CVERecord?id=CVE-2025-55675


_____________________________________________________________________

CVE-2025-55674: Apache Superset: Improper SQL authorisation, parse
not checking for specific engine functions

Severity: 

Affected versions:

- Apache Superset before 5.0.0


Description:

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache
Superset allows for the execution of blocked SQL functions. An
attacker can use a special inline block to circumvent the denylist.
This allows a user with SQL Lab access to execute functions that
were intended to be disabled, leading to the disclosure of sensitive
database information like the software version.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the
issue.


Credit:

Pedro Sousa (coordinator)
Beto Dealmeida (remediation developer)
d47sec from NCS Viet Nam (reporter)


References:

https://www.cve.org/CVERecord?id=CVE-2025-55674

_____________________________________________________________________

CVE-2025-55672: Apache Superset: Store XSS on charts metadata
Severity: 

Affected versions:

- Apache Superset before 5.0.0


Description:

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache
Superset's chart visualization. An authenticated user with
permissions to edit charts can inject a malicious payload into a
column's label. The payload is not properly sanitized and gets
executed in the victim's browser when they hover over the chart,
potentially leading to session hijacking or the execution of
arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes
the issue.


Credit:

Pedro Sousa (coordinator)
Jobar (finder)
Mehmet Yavuz (remediation developer)


References:

https://www.cve.org/CVERecord?id=CVE-2025-55672

_____________________________________________________________________

CVE-2025-55673: Apache Superset: Metadata exposure in embedded charts
Severity: 

Affected versions:

- Apache Superset before 4.1.3


Description:

When a guest user accesses a chart in Apache Superset, the API response
from the /chart/data endpoint includes a query field in its payload.
This field contains the underlying query, which improperly discloses
database schema information, such as table names, to the
low-privileged guest user.

This issue affects Apache Superset: before 4.1.3.

Users are recommended to upgrade to version 4.1.3, which fixes the
issue.


Credit:

Pedro Sousa (coordinator)
Daniel Gaspar (remediation developer)


References:

https://www.cve.org/CVERecord?id=CVE-2025-55673


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================