You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/10/04 22:37:46 UTC

[GitHub] [superset] dharmic6 opened a new issue #16966: An authenticated user can gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application.

dharmic6 opened a new issue #16966:
URL: https://github.com/apache/superset/issues/16966


   A clear and concise description of what the bug is.
   
   
   1. Login As User A
   2. Go to user profile /superset/profile/userA/
   3. Change the url from user A to user B like (/superset/profile/userB/)
   4. Now you can see the dashboards, charts and activities of userB.
   
   ### Expected results
   
   User A is not supposed to see dashboards, charts unless user B or admin provides access to it.
   
   ### Actual results
   
   An authenticated User Can see all other users' information including queries in charts.
   
   Impacted urls:
   
   /superset/profile/[UserName]/
   /superset/recent_activity/[User_ID]/
   /superset/created_dashboards/[User_ID]/
   /superset/fave_slices/[User_ID]/
   /superset/fave_dashboards/[User_ID]/
   /superset/dashboard/[Dashboard_Name]/
   /superset/created_slices/[User_ID]/
   
   #### Screenshots
   
   If applicable, add screenshots to help explain your problem.
   
   
   ### Environment
   
   (please complete the following information):
   
   - browser type and version: chrome 94.0.4606.61
   - superset version: 1.3
   - python version: 3.7
   - node.js version: v16.5.0
   - any feature flags active:
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [X ] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [X ] I have reproduced the issue with at least the latest released version of superset.
   - [ X] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   ### Additional context
   
   Add any other context about the problem here.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] junlincc commented on issue #16966: An authenticated user can gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application.

Posted by GitBox <gi...@apache.org>.
junlincc commented on issue #16966:
URL: https://github.com/apache/superset/issues/16966#issuecomment-933925641


   hi @dharmic6, please follow instruction in https://github.com/apache/superset/security/policy to file security related issue. 🙏 thanks for filing and understanding, I will have to close and wipe this issue for now. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] junlincc closed issue #16966: An authenticated user can gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application.

Posted by GitBox <gi...@apache.org>.
junlincc closed issue #16966:
URL: https://github.com/apache/superset/issues/16966


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org