CVE-2023-30776 - OpenCVE

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Superset

Configuration 1 [-]

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/04/24/3
https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-04-24T15:29:53.498Z

Updated: 2024-08-02T14:37:15.407Z

Reserved: 2023-04-17T11:47:18.487Z

Link: CVE-2023-30776

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-24T16:15:08.000

Modified: 2023-06-15T08:15:09.333

Link: CVE-2023-30776

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30776", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-04-17T11:47:18.487Z", "datePublished": "2023-04-24T15:29:53.498Z", "dateUpdated": "2024-08-02T14:37:15.407Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.1", "status": "affected", "version": "1.3.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Naveen Sunkavally (Horizon3.ai) (finder)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1."}], "value": "An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.\u00a0This issue affects Apache Superset version 1.3.0 up to 2.0.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-15T07:29:50.245Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz"}, {"url": "http://www.openwall.com/lists/oss-security/2023/04/24/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Database connection password leak", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.407Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz"}, {"url": "http://www.openwall.com/lists/oss-security/2023/04/24/3", "tags": ["x_transferred"]}]}]}}