Bitnami package
superset
pkg:bitnami/superset
Vulnerabilities (65)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-28125 | — | < 1.0.2 | 1.0.2 | Apr 27, 2021 | Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince | ||
| CVE-2021-27907 | — | < 0.38.1 | 0.38.1 | Mar 5, 2021 | Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's | ||
| CVE-2020-13952 | — | < 0.37.2 | 0.37.2 | Sep 30, 2020 | In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed | ||
| CVE-2020-13948 | — | < 0.37.1 | 0.37.1 | Sep 17, 2020 | While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37 | ||
| CVE-2020-1932 | — | >= 0.34.0, < 0.34.1 | 0.34.1 | Jan 28, 2020 | An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset. |
- CVE-2021-28125Apr 27, 2021affected < 1.0.2fixed 1.0.2
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince
- CVE-2021-27907Mar 5, 2021affected < 0.38.1fixed 0.38.1
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's
- CVE-2020-13952Sep 30, 2020affected < 0.37.2fixed 0.37.2
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed
- CVE-2020-13948Sep 17, 2020affected < 0.37.1fixed 0.37.1
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37
- CVE-2020-1932Jan 28, 2020affected >= 0.34.0, < 0.34.1fixed 0.34.1
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
Page 4 of 4