CVE-2024-26016

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-26016
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/02/28/7 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/02/28/7 Mailing List Third Party Advisory
https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s Mailing List Vendor Advisory
https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
History

13 Feb 2025, 18:17

Type Values Removed Values Added
Summary A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue. A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

31 Dec 2024, 16:27

Type Values Removed Values Added
CPE cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
First Time Apache superset
Apache
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
CWE CWE-863
References () http://www.openwall.com/lists/oss-security/2024/02/28/7 - () http://www.openwall.com/lists/oss-security/2024/02/28/7 - Mailing List, Third Party Advisory
References () https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s - () https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s - Mailing List, Vendor Advisory

28 Feb 2024, 15:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/02/28/7 -

28 Feb 2024, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-28 12:15

Updated : 2025-02-13 18:17

NVD link : CVE-2024-26016

Mitre link : CVE-2024-26016

JSON object : View

Products Affected

apache

  • superset
CWE

No CWE.