cvelistv5 - CVE-2024-26016

CVE-2024-26016 (GCVE-0-2024-26016)

Vulnerability from cvelistv5 – Published: 2024-02-28 11:28 – Updated: 2025-04-22 15:57

Summary

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/76v1jjcylgk4p3m02…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2024/02/28/7

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Superset	Affected: 0 , < 3.0.4 (semver) Affected: 3.1.0 , < 3.1.1 (semver)

Credits

Daniel Vaz Gaspar Matt Freyre

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26016",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-28T18:55:52.251519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T15:57:40.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:59:31.100Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Superset",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.1.1",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Daniel Vaz Gaspar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Matt Freyre"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A low privilege authenticated user \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\u003c/span\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.1.1, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-28T11:30:09.832Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Superset: Improper authorization validation on dashboards and charts import",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-26016",
    "datePublished": "2024-02-28T11:28:38.319Z",
    "dateReserved": "2024-02-14T11:18:04.978Z",
    "dateUpdated": "2025-04-22T15:57:40.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.0.4\", \"matchCriteriaId\": \"61A22FBB-3B48-450E-890E-47AD28B387CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1.0\", \"versionEndExcluding\": \"3.1.1\", \"matchCriteriaId\": \"FFA07ED1-0A94-4801-8C7B-D38FADC4CEB8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\\n\\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Un usuario autenticado con pocos privilegios podr\\u00eda importar un panel o gr\\u00e1fico existente al que no tiene acceso y luego modificar sus metadatos, obteniendo as\\u00ed la propiedad del objeto. Sin embargo, es importante tener en cuenta que el acceso a los datos anal\\u00edticos de estos gr\\u00e1ficos y paneles seguir\\u00eda estando sujeto a la validaci\\u00f3n en funci\\u00f3n de los privilegios de acceso a los datos. Este problema afecta a Apache Superset: antes de la versi\\u00f3n 3.0.4, desde la 3.1.0 hasta la 3.1.1. Se recomienda a los usuarios que actualicen a la versi\\u00f3n 3.1.1, que soluciona el problema.\"}]",
      "id": "CVE-2024-26016",
      "lastModified": "2024-12-31T16:27:58.487",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
      "published": "2024-02-28T12:15:47.850",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2024/02/28/7\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/02/28/7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26016\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-02-28T12:15:47.850\",\"lastModified\":\"2025-02-13T18:17:17.677\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\\n\\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Un usuario autenticado con pocos privilegios podr\u00eda importar un panel o gr\u00e1fico existente al que no tiene acceso y luego modificar sus metadatos, obteniendo as\u00ed la propiedad del objeto. Sin embargo, es importante tener en cuenta que el acceso a los datos anal\u00edticos de estos gr\u00e1ficos y paneles seguir\u00eda estando sujeto a la validaci\u00f3n en funci\u00f3n de los privilegios de acceso a los datos. Este problema afecta a Apache Superset: antes de la versi\u00f3n 3.0.4, desde la 3.1.0 hasta la 3.1.1. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.1.1, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.0.4\",\"matchCriteriaId\":\"61A22FBB-3B48-450E-890E-47AD28B387CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.0\",\"versionEndExcluding\":\"3.1.1\",\"matchCriteriaId\":\"FFA07ED1-0A94-4801-8C7B-D38FADC4CEB8\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/02/28/7\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/02/28/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/02/28/7\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:59:31.100Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26016\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-28T18:55:52.251519Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:13.624Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Apache Superset: Improper authorization validation on dashboards and charts import\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Daniel Vaz Gaspar\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Matt Freyre\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.0.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.1.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/02/28/7\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\\n\\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A low privilege authenticated user \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecould import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\u003c/span\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.1.1, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-02-28T11:30:09.832Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26016\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:40:58.762Z\", \"dateReserved\": \"2024-02-14T11:18:04.978Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-02-28T11:28:38.319Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2024-26536

Vulnerability from cnvd - Published: 2024-06-14

Title

Apache Superset安全绕过漏洞（CNVD-2024-26536）

Description

Apache Superset是美国阿帕奇（Apache）基金会的一个数据可视化和数据探索平台。 Apache Superset存在信息泄露漏洞，该漏洞是由于仪表板和图表导入上的授权验证不正确造成的。攻击者可利用此漏洞修改元数据并获得对象的所有权。

Severity

中

Patch Name

Apache Superset安全绕过漏洞（CNVD-2024-26536）的补丁

Patch Description

Apache Superset是美国阿帕奇（Apache）基金会的一个数据可视化和数据探索平台。 Apache Superset存在信息泄露漏洞，该漏洞是由于仪表板和图表导入上的授权验证不正确造成的。攻击者可利用此漏洞修改元数据并获得对象的所有权。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s

Reference

https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s

Impacted products

Name
['Apache Superset <3.0.4', 'Apache Superset 3.1.0，<3.1.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-26016",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-26016"
    }
  },
  "description": "Apache Superset\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u53ef\u89c6\u5316\u548c\u6570\u636e\u63a2\u7d22\u5e73\u53f0\u3002\n\nApache Superset\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u4eea\u8868\u677f\u548c\u56fe\u8868\u5bfc\u5165\u4e0a\u7684\u6388\u6743\u9a8c\u8bc1\u4e0d\u6b63\u786e\u9020\u6210\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4fee\u6539\u5143\u6570\u636e\u5e76\u83b7\u5f97\u5bf9\u8c61\u7684\u6240\u6709\u6743\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-26536",
  "openTime": "2024-06-14",
  "patchDescription": "Apache Superset\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u53ef\u89c6\u5316\u548c\u6570\u636e\u63a2\u7d22\u5e73\u53f0\u3002\r\n\r\nApache Superset\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u4eea\u8868\u677f\u548c\u56fe\u8868\u5bfc\u5165\u4e0a\u7684\u6388\u6743\u9a8c\u8bc1\u4e0d\u6b63\u786e\u9020\u6210\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4fee\u6539\u5143\u6570\u636e\u5e76\u83b7\u5f97\u5bf9\u8c61\u7684\u6240\u6709\u6743\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Superset\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2024-26536\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Superset \u003c3.0.4",
      "Apache Superset 3.1.0\uff0c\u003c3.1.1"
    ]
  },
  "referenceLink": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s",
  "serverity": "\u4e2d",
  "submitTime": "2024-03-06",
  "title": "Apache Superset\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2024-26536\uff09"
}

GHSA-3V9R-885J-762G

Vulnerability from github – Published: 2024-02-28 12:30 – Updated: 2025-02-13 19:09

Summary

Apache Superset: Improper authorization validation on dashboards and charts import

Details

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-28T18:36:34Z",
    "nvd_published_at": "2024-02-28T12:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.",
  "id": "GHSA-3v9r-885j-762g",
  "modified": "2025-02-13T19:09:55Z",
  "published": "2024-02-28T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26016"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/superset"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Superset: Improper authorization validation on dashboards and charts import"
}

GSD-2024-26016

Vulnerability from gsd - Updated: 2024-02-15 06:02

Details

Aliases

CVE-2024-26016

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26016"
      ],
      "details": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\n\n",
      "id": "GSD-2024-26016",
      "modified": "2024-02-15T06:02:25.138392Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2024-26016",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Superset",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "3.0.4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "3.1.0",
                          "version_value": "3.1.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Daniel Vaz Gaspar"
        },
        {
          "lang": "en",
          "value": "Matt Freyre"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863 Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2024/02/28/7",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.\n\n"
          }
        ],
        "id": "CVE-2024-26016",
        "lastModified": "2024-02-28T15:15:09.320",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "security@apache.org",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-28T12:15:47.850",
        "references": [
          {
            "source": "security@apache.org",
            "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
          },
          {
            "source": "security@apache.org",
            "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

WID-SEC-W-2024-0515

Vulnerability from csaf_certbund - Published: 2024-02-28 23:00 - Updated: 2024-02-28 23:00

Summary

Apache Superset: Mehrere Schwachstellen ermöglichen Manipulation von Dateien

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um Dateien zu manipulieren.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Superset ist eine Open-Source-Plattform zur Datenexploration und -visualisierung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache Superset ausnutzen, um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0515 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0515.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0515 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0515"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-02-28",
        "url": "https://github.com/advisories/GHSA-m6jm-3v38-76j4"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-02-28",
        "url": "https://github.com/advisories/GHSA-5474-f7g5-273q"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-02-28",
        "url": "https://github.com/advisories/GHSA-wr6g-9wcr-cmqj"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-02-28",
        "url": "https://github.com/advisories/GHSA-3v9r-885j-762g"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-02-28",
        "url": "https://github.com/advisories/GHSA-h7r6-8qmm-hj5r"
      },
      {
        "category": "external",
        "summary": "Apache Pony Mail vom 2024-02-28",
        "url": "https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5"
      },
      {
        "category": "external",
        "summary": "Apache Pony Mail vom 2024-02-28",
        "url": "https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501"
      },
      {
        "category": "external",
        "summary": "Apache Pony Mail vom 2024-02-28",
        "url": "https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq"
      },
      {
        "category": "external",
        "summary": "Apache Pony Mail vom 2024-02-28",
        "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
      },
      {
        "category": "external",
        "summary": "Apache Pony Mail vom 2024-02-28",
        "url": "https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Superset: Mehrere Schwachstellen erm\u00f6glichen Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2024-02-28T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:05:53.921+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0515",
      "initial_release_date": "2024-02-28T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-28T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 3.1.1",
                "product": {
                  "name": "Apache Superset \u003c 3.1.1",
                  "product_id": "T033185"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c 3.0.4",
                "product": {
                  "name": "Apache Superset \u003c 3.0.4",
                  "product_id": "T033186"
                }
              }
            ],
            "category": "product_name",
            "name": "Superset"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-27315",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existieren mehrere Schwachstellen. Diese sind auf Fehler in der Verarbeitung von SQL-Statements und Fehler im Privilegienmanagement zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um eine SQL-Injection durchzuf\u00fchren oder Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-28T23:00:00.000+00:00",
      "title": "CVE-2024-27315"
    },
    {
      "cve": "CVE-2024-26016",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existieren mehrere Schwachstellen. Diese sind auf Fehler in der Verarbeitung von SQL-Statements und Fehler im Privilegienmanagement zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um eine SQL-Injection durchzuf\u00fchren oder Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-28T23:00:00.000+00:00",
      "title": "CVE-2024-26016"
    },
    {
      "cve": "CVE-2024-24779",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existieren mehrere Schwachstellen. Diese sind auf Fehler in der Verarbeitung von SQL-Statements und Fehler im Privilegienmanagement zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um eine SQL-Injection durchzuf\u00fchren oder Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-28T23:00:00.000+00:00",
      "title": "CVE-2024-24779"
    },
    {
      "cve": "CVE-2024-24773",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existieren mehrere Schwachstellen. Diese sind auf Fehler in der Verarbeitung von SQL-Statements und Fehler im Privilegienmanagement zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um eine SQL-Injection durchzuf\u00fchren oder Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-28T23:00:00.000+00:00",
      "title": "CVE-2024-24773"
    },
    {
      "cve": "CVE-2024-24772",
      "notes": [
        {
          "category": "description",
          "text": "In Apache Superset existieren mehrere Schwachstellen. Diese sind auf Fehler in der Verarbeitung von SQL-Statements und Fehler im Privilegienmanagement zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um eine SQL-Injection durchzuf\u00fchren oder Informationen offenzulegen."
        }
      ],
      "release_date": "2024-02-28T23:00:00.000+00:00",
      "title": "CVE-2024-24772"
    }
  ]
}

FKIE_CVE-2024-26016

Vulnerability from fkie_nvd - Published: 2024-02-28 12:15 - Updated: 2025-02-13 18:17

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2024/02/28/7	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/02/28/7	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	superset	*
	apache	superset	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "61A22FBB-3B48-450E-890E-47AD28B387CF",
              "versionEndExcluding": "3.0.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFA07ED1-0A94-4801-8C7B-D38FADC4CEB8",
              "versionEndExcluding": "3.1.1",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it\u0027s important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Un usuario autenticado con pocos privilegios podr\u00eda importar un panel o gr\u00e1fico existente al que no tiene acceso y luego modificar sus metadatos, obteniendo as\u00ed la propiedad del objeto. Sin embargo, es importante tener en cuenta que el acceso a los datos anal\u00edticos de estos gr\u00e1ficos y paneles seguir\u00eda estando sujeto a la validaci\u00f3n en funci\u00f3n de los privilegios de acceso a los datos. Este problema afecta a Apache Superset: antes de la versi\u00f3n 3.0.4, desde la 3.1.0 hasta la 3.1.1. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.1.1, que soluciona el problema."
    }
  ],
  "id": "CVE-2024-26016",
  "lastModified": "2025-02-13T18:17:17.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security@apache.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-28T12:15:47.850",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-26016 (GCVE-0-2024-26016)

CNVD-2024-26536

GHSA-3V9R-885J-762G

GSD-2024-26016

WID-SEC-W-2024-0515

FKIE_CVE-2024-26016

Tags

Sightings

Nomenclature