Home > Vulnerability Database > CVE-2023-40610

Mend.io Vulnerability Database

CVE-2023-40610

Good to know:

Date: November 27, 2023

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

Language: Python

Severity Score

8.8

Related Resources (7)

Url: https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5

Url: https://seclists.org/oss-sec/2023/q4/237

Url: http://www.openwall.com/lists/oss-security/2023/11/27/2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40610

Url: https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Url: https://github.com/apache/superset/commit/ccf73b2608f3f3d1f3d31b927e094fcf50b86a03

Url: https://www.mend.io/vulnerability-database/CVE-2023-40610

Severity Score

8.8

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version apache-superset - 2.1.2

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40610

Good to know:

Date: November 27, 2023

Language: Python

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?