You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Daniel Gaspar <dp...@apache.org> on 2023/01/16 09:31:37 UTC

CVE-2022-45438: Apache Superset: Dashboard metadata information leak

Description:

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Credit:

Sunny Alexli (finder)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2022-45438