cvelistv5 - CVE-2023-40610

CVE-2023-40610 (GCVE-0-2023-40610)

Vulnerability from cvelistv5

Published

2023-11-27 10:22

Modified

2025-06-03 13:59

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-863 - Incorrect Authorization

Summary

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

References

►

URL

Tags

security@apache.org	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
security@apache.org	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
security@apache.org	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Superset	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:51.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40610",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T13:59:25.937531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T13:59:39.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Superset",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LEXFO for Orange Innovation and Orange CERT-CC  at Orange group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper authorization check and possible privilege escalation on Apache Superset\u0026nbsp;up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-10T16:49:59.636Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
        },
        {
          "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Superset: Privilege escalation with default examples database",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-40610",
    "datePublished": "2023-11-27T10:22:41.083Z",
    "dateReserved": "2023-08-17T12:56:13.976Z",
    "dateUpdated": "2025-06-03T13:59:39.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40610\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-11-27T11:15:07.293\",\"lastModified\":\"2025-02-13T17:17:04.687\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\"},{\"lang\":\"es\",\"value\":\"Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.2\",\"matchCriteriaId\":\"15732220-B366-4C92-A7D6-8C5DF4C9CA20\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/27/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:38:51.121Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-40610\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-03T13:59:25.937531Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-03T13:59:34.518Z\"}}], \"cna\": {\"title\": \"Apache Superset: Privilege escalation with default examples database\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"LEXFO for Orange Innovation and Orange CERT-CC  at Orange group\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.1.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2023/11/27/2\"}, {\"url\": \"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper authorization check and possible privilege escalation on Apache Superset\\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper authorization check and possible privilege escalation on Apache Superset\u0026nbsp;up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-01-10T16:49:59.636Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-40610\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-03T13:59:39.739Z\", \"dateReserved\": \"2023-08-17T12:56:13.976Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2023-11-27T10:22:41.083Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2023-40610

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-40610

Aliases

CVE-2023-40610

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-40610",
    "id": "GSD-2023-40610"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-40610"
      ],
      "details": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n",
      "id": "GSD-2023-40610",
      "modified": "2023-12-13T01:20:43.840390Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-40610",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Superset",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "2.1.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "LEXFO for Orange Innovation and Orange CERT-CC  at Orange group"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863 Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2023/11/27/2",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "name": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5",
            "refsource": "MISC",
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "15732220-B366-4C92-A7D6-8C5DF4C9CA20",
                    "versionEndExcluding": "2.1.2",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.\n\n"
          },
          {
            "lang": "es",
            "value": "Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n."
          }
        ],
        "id": "CVE-2023-40610",
        "lastModified": "2024-01-10T17:15:08.717",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 4.0,
              "source": "security@apache.org",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-11-27T11:15:07.293",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
          },
          {
            "source": "security@apache.org",
            "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Vendor Advisory"
            ],
            "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

fkie_cve-2023-40610

Vulnerability from fkie_nvd

Published

2023-11-27 11:15

Modified

2025-02-13 17:17

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
security@apache.org	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
security@apache.org	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2023/11/27/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	superset	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15732220-B366-4C92-A7D6-8C5DF4C9CA20",
              "versionEndExcluding": "2.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper authorization check and possible privilege escalation on Apache Superset\u00a0up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset\u0027s metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data."
    },
    {
      "lang": "es",
      "value": "Verificaci\u00f3n de autorizaci\u00f3n incorrecta y posible escalada de privilegios en Apache Superset hasta 2.1.2, pero excluy\u00e9ndolo. Utilizando la conexi\u00f3n de base de datos de ejemplos predeterminada que permite el acceso tanto al esquema de ejemplos como a la base de datos de metadatos de Apache Superset, un atacante que utilice una declaraci\u00f3n SQL CTE especialmente manipulada podr\u00eda cambiar los datos de la base de datos de metadatos. Esta debilidad podr\u00eda resultar en la manipulaci\u00f3n de los datos de autenticaci\u00f3n/autorizaci\u00f3n."
    }
  ],
  "id": "CVE-2023-40610",
  "lastModified": "2025-02-13T17:17:04.687",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "security@apache.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-27T11:15:07.293",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    },
    {
      "source": "security@apache.org",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    }
  ]
}

ghsa-f678-j579-4xf5

Vulnerability from github

Published

2023-11-28 18:56

Modified

2024-01-10 19:17

Severity ?

7.3 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

Apache Superset - Elevation of Privilege

Details

Overview

An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.

Details

On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).

Proof of Concept

Some tables are supposed to accept only SELECT requests from the SQL tab. - Attempt to create a new user injected_admin into the ab_user table: PoC_1

But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query. INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax: WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘injected_admin@gmail.com’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a; PoC_2 - injected_admin added to the ab_user table: PoC_3

This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator. - Locating the ID of the user ‘Auditeur B’, who has no rights and is not an admin. The request is done being ‘Auditeur B’: PoC_4 - Locating the rows that keep the role of the user ‘Auditeur B’. The row 36 stores the value 3, indicating the role ‘Alpha’ for ‘Auditeur B’: PoC_5 - Modification of the row 36 with an UPDATE request embedded in a WITH request: PoC_6 - ‘Auditeur B’ role has been changed to Admin: PoC_7

This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).

Solution

Orange recommendation

To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.

Security patch

Upgrade to Superset version 2.1.2.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40610 https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Credits

LEXFO for Orange Innovation

Orange CERT-CC at Orange group

Timeline

Date reported: July 27, 2023 Date fixed: November 27, 2023

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:56:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Overview\nAn attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.\n\n### Details\nOn a more general level, diverse tables who are supposed to be only readable can be modified using the WITH \u2026 AS and RETURNING keywords.\nModification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. \"V7 - Insecure deserialization leading to remote code execution\" report vulnerability).\n\n### Proof of Concept\nSome tables are supposed to accept only SELECT requests from the SQL tab.\n- Attempt to create a new user injected_admin into the ab_user table: [PoC_1](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_1.png)\n\nBut this protection can be bypassed by using the WITH \u2026 AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.\nINSERT query accepted by the database due to the use of WITH \u2026 AS ( \u2026 RETURNING ) syntax:\n  WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, \u2018injected_admin\u2019, \u2018injected_admin\u2019, \u2018injected_admin\u2019, \u2018injected_admin@gmail.com\u2019, \u2018{PASSWORD_HASH}\u2019) RETURNING id ) SELECT * FROM a;\n  [PoC_2](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_2.png)\n  - injected_admin added to the ab_user table: [PoC_3](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_3.png)\n\nThis method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.\n- Locating the ID of the user \u2018Auditeur B\u2019, who has no rights and is not an admin. The request is done being \u2018Auditeur B\u2019: [PoC_4](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_4.png)\n- Locating the rows that keep the role of the user \u2018Auditeur B\u2019. The row 36 stores the value 3, indicating the role \u2018Alpha\u2019 for \u2018Auditeur B\u2019: [PoC_5](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_5.png)\n- Modification of the row 36 with an UPDATE request embedded in a WITH request: [PoC_6](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_6.png)\n- \u2018Auditeur B\u2019 role has been changed to Admin: [PoC_7](https://github.com/orangecertcc/security-research/blob/main/CVE-2023-40610/PoC_7.png)\n\nThis technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).\n\n### Solution\n#### Orange recommendation\nTo fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.\n#### Security patch\nUpgrade to Superset version 2.1.2.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-40610\nhttps://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot\n\n### Credits\nLEXFO for [Orange Innovation][orange]\n\n[Orange CERT-CC][ora] at [Orange group][orange]\n\n[ora]: \u003chttps://cert.orange.com/\u003e\n[orange]: \u003chttps://www.orange.com/\u003e\n\n### Timeline\n**Date reported:** July 27, 2023\n**Date fixed:** November 27, 2023",
  "id": "GHSA-f678-j579-4xf5",
  "modified": "2024-01-10T19:17:04Z",
  "published": "2023-11-28T18:56:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40610"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/superset"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Superset - Elevation of Privilege"
}

wid-sec-w-2023-3010

Vulnerability from csaf_certbund

Published

2023-11-26 23:00

Modified

2023-11-26 23:00

Summary

Apache Superset: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um seine Privilegien zu erhöhen, Informationen offenzulegen oder einen Cross Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um seine Privilegien zu erh\u00f6hen, Informationen offenzulegen oder einen Cross Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3010 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3010.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3010 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3010"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/4"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/3"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2023-11-27",
        "url": "https://www.openwall.com/lists/oss-security/2023/11/27/2"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Superset: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-11-26T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:04.947+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3010",
      "initial_release_date": "2023-11-26T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-11-26T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Apache Superset \u003c 2.1.2",
            "product": {
              "name": "Apache Superset \u003c 2.1.2",
              "product_id": "T031357",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:superset:2.1.2"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-43701",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein authentisierter Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-43701"
    },
    {
      "cve": "CVE-2023-42501",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Superset. Innerhalb der Gammarolle werden nicht notwendige Leseberechtigungen gesetzt. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um konfigurierte CSS-Vorlagen und Anmerkungen zu lesen."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-42501"
    },
    {
      "cve": "CVE-2023-40610",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Apache Superset. Aufgrund einer unsachgem\u00e4\u00dfen Berechtigungspr\u00fcfung bei der Verwendung der Standard-Beispiele-Datenbankverbindung, die den Zugriff sowohl auf das Beispiele-Schema als auch auf die Metadaten-Datenbank erm\u00f6glicht, kann ein Angreifer mit einer speziell gestalteten CTE-SQL-Anweisung Daten in der Metadaten-Datenbank \u00e4ndern. In der Folge kann er Authentifizierungs-/Autorisierungsdaten manipulieren und so seine Privilegien erweitern."
        }
      ],
      "release_date": "2023-11-26T23:00:00.000+00:00",
      "title": "CVE-2023-40610"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-40610 (GCVE-0-2023-40610)

Vulnerability from cvelistv5

gsd-2023-40610

Vulnerability from gsd

fkie_cve-2023-40610

Vulnerability from fkie_nvd

ghsa-f678-j579-4xf5

Vulnerability from github

Overview

Details

Proof of Concept

Solution

Orange recommendation

Security patch

References

Credits

Timeline

wid-sec-w-2023-3010

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature