mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 17:21:36 +00:00
96 lines
3.4 KiB
JSON
96 lines
3.4 KiB
JSON
{
|
|
"id": "CVE-2022-41703",
|
|
"sourceIdentifier": "security@apache.org",
|
|
"published": "2023-01-16T11:15:10.303",
|
|
"lastModified": "2023-04-11T15:15:10.330",
|
|
"vulnStatus": "Modified",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n\n\n"
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "Una vulnerabilidad en el conector SQL Alchemy de Apache Superset permite a un usuario autenticado con acceso de lectura a una base de datos espec\u00edfica agregar subconsultas a los campos WHERE y HAVING que hacen referencia a tablas en la misma base de datos a la que el usuario no deber\u00eda tener acceso, a pesar de que el usuario tiene la indicador de funci\u00f3n \"ALLOW_ADHOC_SUBQUERY\" deshabilitado (valor predeterminado). Este problema afecta a Apache Superset versi\u00f3n 1.5.2 y versiones anteriores y a la versi\u00f3n 2.0.0."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "LOW",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.4,
|
|
"baseSeverity": "MEDIUM"
|
|
},
|
|
"exploitabilityScore": 2.8,
|
|
"impactScore": 2.5
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-89"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
|
|
"versionEndIncluding": "1.5.2",
|
|
"matchCriteriaId": "CD514249-ED9E-45F1-9D50-4A7CE6DB166B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*",
|
|
"matchCriteriaId": "35CD3C6F-B3E0-437C-A1D7-EF700C76923C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "ADD3485B-3FFC-4B60-89F5-E4ECA0C680B6"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "BC060A49-79ED-4539-9E68-EDB15D7F2445"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |