CVE-2021-44451: Insufficiently Protected Credentials in Apache Superset

February 2, 2022 (updated September 12, 2024)

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

References

github.com/advisories/GHSA-hhm3-48h2-597v
github.com/apache/superset
github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-36.yaml
lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
nvd.nist.gov/vuln/detail/CVE-2021-44451

Detect and mitigate CVE-2021-44451 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →