Home > Vulnerability Database > CVE-2023-40610

Mend.io Vulnerability Database

CVE-2023-40610

Good to know:

Date: November 27, 2023

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.

Language: Python

Severity Score

6.3

Related Resources (6)

Url: https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5

Url: http://www.openwall.com/lists/oss-security/2023/11/27/2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40610

Url: https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Url: https://github.com/apache/superset

Url: https://www.mend.io/vulnerability-database/CVE-2023-40610

Severity Score

6.3

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version apache-superset - 2.1.2

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40610

Good to know:

Date: November 27, 2023

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?