Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
History

Sat, 28 Sep 2024 08:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-09-06T13:00:11.612Z

Updated: 2024-09-27T18:48:35.245Z

Reserved: 2023-07-26T15:30:14.900Z

Link: CVE-2023-39265

cve-icon Vulnrichment

Updated: 2024-08-02T18:02:06.680Z

cve-icon NVD

Status : Modified

Published: 2023-09-06T14:15:10.687

Modified: 2024-11-21T08:15:00.910

Link: CVE-2023-39265

cve-icon Redhat

No data.