CVE-2023-39264 - OpenCVE

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Superset

Configuration 1 [-]

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-09-06T12:58:59.791Z

Updated: 2024-08-02T18:02:06.790Z

Reserved: 2023-07-26T15:04:49.327Z

Link: CVE-2023-39264

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-06T13:15:08.927

Modified: 2023-09-11T14:28:53.417

Link: CVE-2023-39264

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39264", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-07-26T15:04:49.327Z", "datePublished": "2023-09-06T12:58:59.791Z", "dateUpdated": "2024-08-02T18:02:06.790Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Segovia Gil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. <span style=\"background-color: rgb(255, 255, 255);\">This vulnerability exists </span>in Apache Superset versions up to and including 2.1.0."}], "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-06T12:58:59.791Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Stack traces enabled by default", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.790Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}]}]}}