CVE-2021-41972: Apache Superset allowed for database connections password leak for authenticated users

May 24, 2022 (updated September 12, 2024)

Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.

References

github.com/advisories/GHSA-42q4-9xf9-f67x
github.com/apache/superset
github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-434.yaml
lists.apache.org/thread/xpdl2r538o695o7r9gd9qrwqb17bdd3v
nvd.nist.gov/vuln/detail/CVE-2021-41972
seclists.org/oss-sec/2021/q4/106

Detect and mitigate CVE-2021-41972 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →