Severity
High
Analysis Summary
CVE-2023-27524 CVSS:9.1
Apache Superset could allow a remote attacker to bypass security restrictions, caused by a session validation flaw when using provided default SECRET_KEY. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions and gain unauthorized resources.
CVE-2023-22665 CVSS:7.3
Apache Jena could allow a remote attacker to execute arbitrary code on the system, caused by improper checking of user queries. By sending a specially crafted SPARQL query, an attacker could exploit this vulnerability to execute arbitrary javascript on the system.
CVE-2023-30776 CVSS:6.5
Apache Superset could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation by the REST API. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain database connection password information, and use this information to launch further attacks against the affected system.
Impact
- Code Execution
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-27524
- CVE-2023-22665
- CVE-2023-30776
Affected Vendors
Apache
Affected Products
- Apache Superset 2.0.1
- Apache Jena 4.7.0
Remediation
Upgrade to the latest version of Apache Superset and Jina, available from the Apache Web site.