OpenCVE

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Superset

Configuration 1 [-]

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/11/27/3
https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-11-27T10:23:47.721Z

Updated: 2024-08-29T19:05:51.288Z

Reserved: 2023-09-11T09:03:06.448Z

Link: CVE-2023-42501

Vulnrichment

Updated: 2024-08-02T19:23:39.502Z

NVD

Status : Analyzed

Published: 2023-11-27T11:15:07.743

Modified: 2023-12-01T19:11:12.803

Link: CVE-2023-42501

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42501", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-11T09:03:06.448Z", "datePublished": "2023-11-27T10:23:47.721Z", "dateUpdated": "2024-08-29T19:05:51.288Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Segovia Gil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.<br>This issue affects Apache Superset: before 2.1.2.<br>Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.<br><br>"}], "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-27T10:23:47.721Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Unnecessary read permissions within the Gamma role", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:39.502Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/27/3", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache_software_foundation", "product": "apache_superset", "cpes": ["cpe:2.3:a:apache_software_foundation:apache_superset:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.12", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T19:01:45.929047Z", "id": "CVE-2023-42501", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T19:05:51.288Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42501", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-11T09:03:06.448Z", "datePublished": "2023-11-27T10:23:47.721Z", "dateUpdated": "2024-08-29T19:05:51.288Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Segovia Gil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.<br>This issue affects Apache Superset: before 2.1.2.<br>Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.<br><br>"}], "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-11-27T10:23:47.721Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Unnecessary read permissions within the Gamma role", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:39.502Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/27/3", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42501", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T19:01:45.929047Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache_software_foundation:apache_superset:*:*:*:*:*:*:*:*"], "vendor": "apache_software_foundation", "product": "apache_superset", "versions": [{"status": "affected", "version": "0", "lessThan": "2.12", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T19:05:42.680Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "matchCriteriaId": "70A1ED21-6FFF-43FF-8F10-B3C97E01A2DA", "versionEndExcluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.\n\n"}, {"lang": "es", "value": "Los permisos de lectura innecesarios dentro de la funci\u00f3n Gamma permitir\u00edan a los usuarios autenticados leer plantillas y anotaciones CSS configuradas. Este problema afecta a Apache Superset: antes de 2.1.2. Los usuarios deben actualizar a la versi\u00f3n 2.1.2 o superior y ejecutar `superset init` para reconstruir la funci\u00f3n Gamma o eliminar el permiso `can_read` de los recursos mencionados."}], "id": "CVE-2023-42501", "lastModified": "2023-12-01T19:11:12.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2023-11-27T11:15:07.743", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security@apache.org", "type": "Primary"}]}