CVE-2023-42501: Incorrect Default Permissions

November 27, 2023 (updated December 1, 2023)

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.

References

www.openwall.com/lists/oss-security/2023/11/27/3
lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh
nvd.nist.gov/vuln/detail/CVE-2023-42501

Code Behaviors & Features

Detect and mitigate CVE-2023-42501 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →