You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Daniel Gaspar <dp...@apache.org> on 2021/10/15 13:06:39 UTC
CVE-2021-41971: Apache Superset: Possible SQL Injection when
template processing is enabled
Severity: low
Description:
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
Mitigation:
Don't enable ENABLE_TEMPLATE_PROCESSING (disabled by default).
Or upgrade to Apache Superset 1.3.1
Credit:
Apache Superset would like to thank Kevin Kusnardi for reporting this issue