GSD-2021-37839
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-37839",
"description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.",
"id": "GSD-2021-37839"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-37839"
],
"details": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.",
"id": "GSD-2021-37839",
"modified": "2023-12-13T01:23:10.090907Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37839",
"STATE": "PUBLIC",
"TITLE": "Improper access to dataset metadata information "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Superset",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Superset",
"version_value": "1.5.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Superset would like to thank Dinesh for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-273 Improper Check for Dropped Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Upgrade to 1.5.1 or higher"
}
]
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.5.1",
"affected_versions": "All versions before 1.5.1",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-273",
"CWE-937"
],
"date": "2022-07-14",
"description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.",
"fixed_versions": [
"1.5.1"
],
"identifier": "CVE-2021-37839",
"identifiers": [
"CVE-2021-37839"
],
"not_impacted": "All versions since 1.5.1",
"package_slug": "pypi/apache-superset",
"pubdate": "2022-07-06",
"solution": "Upgrade to version 1.5.1 or above.",
"title": "Improper Check for Dropped Privileges",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-37839",
"https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
],
"uuid": "71e068c7-0240-4148-a5d6-2aefc1a43f5b"
},
{
"affected_range": "\u003c1.5.1",
"affected_versions": "All versions before 1.5.1",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-273",
"CWE-937"
],
"date": "2022-07-14",
"description": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics.",
"fixed_versions": [
"1.5.1"
],
"identifier": "CVE-2021-37839",
"identifiers": [
"CVE-2021-37839"
],
"not_impacted": "",
"package_slug": "pypi/superset",
"pubdate": "2022-07-06",
"solution": "Upgrade to 1.5.1 or above.",
"title": "Improper Check for Dropped Privileges",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-37839",
"https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
],
"uuid": "818daa86-7d24-4e74-bf8a-9b49338d62df"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.5.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37839"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-273"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2022-07-14T01:02Z",
"publishedDate": "2022-07-06T13:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…