Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.
issue affects Apache Superset: from 2.0.0 before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
| Score | Percentile |
|---|---|
| 0.34% | 55.77% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| 7.6 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-35fc-9hrj-3585 ↗ |
| CVE | CVE-2024-53949 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | apache-superset | >= 2.0.0, < 4.1.0 | 4.1.0 | — |