CVE-2023-36387

MEDIUM5.4EPSS 0.02%

Apache Superset: Improper API permission for low privilege users

Published: 9/6/2023Modified: 5/20/2025

Description

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

Affected packages (2)

Bitnami/supersetfrom 0, < 2.1.1
PyPI/apache-supersetfrom 0, <= 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-36387
PATCHhttps://github.com/apache/superset
WEBhttps://github.com/apache/superset/pull/24185
WEBhttps://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3