CVE-2023-42501: Incorrect Default Permissions

November 27, 2023 (updated December 1, 2023)

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.

References

www.openwall.com/lists/oss-security/2023/11/27/3
github.com/advisories/GHSA-vv65-fjfj-4736
lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh
nvd.nist.gov/vuln/detail/CVE-2023-42501

Detect and mitigate CVE-2023-42501 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →