Superset
CVE-2023-42504
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.
This issue affects Apache Superset: before 3.0.0
AnalysisAI
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.0.0 Affected products include: Apache Superset. Version information: before 3.0.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Rated critical severity (CVSS 9.8), th
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to pos
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Py
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternati
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Rated high
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Rated critical severity (CVSS 9.8),
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow fo
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allow
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests v
In the course of work on the open source project it was discovered that authenticated users running queries against Hive
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Rate
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today