You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by dp...@apache.org on 2023/07/26 13:21:34 UTC
[superset] branch master updated: docs: update security policy and add CVE info (#24769)
This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 165afee55a docs: update security policy and add CVE info (#24769)
165afee55a is described below
commit 165afee55a816e2e084ba2dac4cad7d5cb7d2a57
Author: Daniel Vaz Gaspar <da...@gmail.com>
AuthorDate: Wed Jul 26 14:21:26 2023 +0100
docs: update security policy and add CVE info (#24769)
---
.github/SECURITY.md | 38 +++++++++++++++++++++++++++++++++++
docs/docs/security/_category_.json | 4 ++++
docs/docs/security/cves.mdx | 27 +++++++++++++++++++++++++
docs/docs/{ => security}/security.mdx | 4 ++--
4 files changed, 71 insertions(+), 2 deletions(-)
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..f35b9c48f0
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and follows the
+ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache Superset,
+please get in touch with the Apache Security Team privately at
+e-mail address [security@apache.org](mailto:security@apache.org).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
+
+Note that Apache Superset is not responsible for any third-party dependencies that may
+have security issues. Any vulnerabilities found in third-party dependencies should be
+reported to the maintainers of those projects. Results from security scans of Apache
+Superset dependencies found on its official Docker image can be remediated at release time
+by extending the image itself.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
diff --git a/docs/docs/security/_category_.json b/docs/docs/security/_category_.json
new file mode 100644
index 0000000000..7d24a44873
--- /dev/null
+++ b/docs/docs/security/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Security",
+ "position": 10
+}
diff --git a/docs/docs/security/cves.mdx b/docs/docs/security/cves.mdx
new file mode 100644
index 0000000000..148af09c54
--- /dev/null
+++ b/docs/docs/security/cves.mdx
@@ -0,0 +1,27 @@
+---
+title: CVEs by release
+hide_title: true
+sidebar_position: 2
+---
+
+#### Version 2.1.0
+
+| CVE | Title | Affected |
+| :------------- | :---------------------------------------------------------------------- | -----------------:|
+| CVE-2023-25504 | Possible SSRF on import datasets | <= 2.1.0 |
+| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | <= 2.1.0 |
+| CVE-2023-27525 | Incorrect default permissions for Gamma role | <= 2.1.0 |
+| CVE-2023-30776 | Database connection password leak | <= 2.1.0 |
+
+
+#### Version 2.0.1
+
+| CVE | Title | Affected |
+| :------------- | :---------------------------------------------------------- | -----------------:|
+| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses | < 2.0.1 or <1.5.2 |
+| CVE-2022-43717 | Cross-Site Scripting on dashboards | < 2.0.1 or <1.5.2 |
+| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms | < 2.0.1 or <1.5.2 |
+| CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access | < 2.0.1 or <1.5.2 |
+| CVE-2022-43720 | Improper rendering of user input | < 2.0.1 or <1.5.2 |
+| CVE-2022-43721 | Open Redirect Vulnerability | < 2.0.1 or <1.5.2 |
+| CVE-2022-45438 | Dashboard metadata information leak | < 2.0.1 or <1.5.2 |
diff --git a/docs/docs/security.mdx b/docs/docs/security/security.mdx
similarity index 99%
rename from docs/docs/security.mdx
rename to docs/docs/security/security.mdx
index ab6d41e895..5934af51df 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security/security.mdx
@@ -1,7 +1,7 @@
---
-title: Security
+title: Role based Access
hide_title: true
-sidebar_position: 10
+sidebar_position: 1
---
### Roles