CVE-2023-30776 - OpenCVE

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Superset

Configuration 1 [-]

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/04/24/3	Mailing List Third Party Advisory
https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-04-24T15:29:53.498Z

Updated: 2023-06-15T07:29:50.245Z

Reserved: 2023-04-17T11:47:18.487Z

Link: CVE-2023-30776

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-24T16:15:08.000

Modified: 2023-06-15T08:15:09.333

Link: CVE-2023-30776

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-30776", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-04-17T11:47:18.487Z", "datePublished": "2023-04-24T15:29:53.498Z", "dateUpdated": "2023-06-15T07:29:50.245Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.1", "status": "affected", "version": "1.3.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Naveen Sunkavally (Horizon3.ai) (finder)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1."}], "value": "An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.\u00a0This issue affects Apache Superset version 1.3.0 up to 2.0.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-15T07:29:50.245Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz"}, {"url": "http://www.openwall.com/lists/oss-security/2023/04/24/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Database connection password leak", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}