CVE-2023-42505

MEDIUM4.3EPSS 0.04%

Apache Superset: Sensitive information disclosure on db connection details

Published: 11/28/2023Modified: 5/20/2025

Description

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username. This issue affects Apache Superset before 3.0.0.

Affected packages (2)

Bitnami/supersetfrom 0, < 3.0.0
PyPI/apache-supersetfrom 0, < 3.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-42505
PATCHhttps://github.com/apache/superset
WEBhttps://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y
WEBhttp://www.openwall.com/lists/oss-security/2023/11/28/5