Latest version: v4.1.1
| CVE/PVE | Vulnerability ID | Advisory | Affected versions | Severity | Severity Score |
|---|---|---|---|---|---|
| CVE-2024-34693 | 71840 |
Improper Input Validation vulnerability in Apache Superset, allows fo… |
|
- | - |
| CVE-2022-43718 | 54611 |
Upload data forms do not correctly render user input leading to possi… |
|
MEDIUM | 5.4 |
| CVE-2022-41703 | 54626 |
A vulnerability in the SQL Alchemy connector of Apache Superset allow… |
|
MEDIUM | 5.4 |
| CVE-2022-43721 | 54615 |
An authenticated attacker with update datasets permission could chang… |
|
MEDIUM | 5.4 |
| CVE-2022-43720 | 54625 |
An authenticated attacker with write CSS template permissions can cre… |
|
MEDIUM | 5.4 |
| CVE-2022-43719 | 54612 |
Two legacy REST API endpoints for approval and request access are vul… |
|
HIGH | 8.8 |
| CVE-2022-43717 | 54616 |
Dashboard rendering does not sufficiently sanitize the content of mar… |
|
MEDIUM | 5.4 |
| CVE-2022-45438 | 54614 |
When explicitly enabling the feature flag 'DASHBOARD_CACHE' (disabled… |
|
MEDIUM | 5.3 |
| CVE-2024-27315 | 68480 |
A vulnerability in various versions of Apache Superset allows authent… |
|
- | - |
| CVE-2024-24779 | 68494 |
Apache Superset with custom roles that include `can write on dataset`… |
|
- | - |
| CVE-2024-24772 | 68496 |
A guest user could exploit a chart data REST API and send arbitrary S… |
|
- | - |
| CVE-2024-24773 | 68495 |
Improper parsing of nested SQL statements on SQLLab would allow authe… |
|
- | - |
| CVE-2024-26016 | 68490 |
A low privilege authenticated user could import an existing dashboard… |
|
- | - |
| CVE-2023-49734 | 65195 |
An authenticated Gamma user can create a dashboard and add charts to … |
|
MEDIUM | 6.5 |
| CVE-2023-49736 | 65196 |
A where_in JINJA macro allows users to specify a quote, which combine… |
|
HIGH | 8.8 |
| CVE-2023-46104 | 65186 |
Uncontrolled resource consumption can be triggered by authenticated a… |
|
MEDIUM | 6.5 |
| CVE-2024-39887 | 72252 |
An SQL Injection vulnerability in Apache Superset exists due to impro… |
|
- | - |
| CVE-2024-28148 | 71839 |
An authenticated user could potentially access metadata for a data so… |
|
- | - |
| CVE-2023-49657 | 66702 |
A stored cross-site scripting (XSS) vulnerability exists in Apache Su… |
|
MEDIUM | 5.4 |
| CVE-2023-42502 | 65227 |
An authenticated attacker with update datasets permission could chang… |
|
MEDIUM | 5.4 |
| CVE-2021-33026 | 61921 |
Apache-superset 3.0.0 updates its dependency 'flask_caching' to v1.11… |
|
CRITICAL | 9.8 |
| CVE-2021-3807 | 61908 |
Apache-superset 3.0.0 updates its NPM dependency 'ansi-regex' to incl… |
|
HIGH | 7.5 |
| CVE-2023-42505 | 65229 |
An authenticated user with read permissions on database connection me… |
|
MEDIUM | 4.3 |
| CVE-2023-42504 | 65228 |
An authenticated malicious user could initiate multiple concurrent re… |
|
MEDIUM | 6.5 |
| CVE-2023-40610 | 65225 |
Improper authorization check and possible privilege escalation on Apa… |
|
HIGH | 8.8 |
| CVE-2023-43701 | 65230 |
Improper payload validation and an improper REST API response type ma… |
|
MEDIUM | 5.4 |
| CVE-2023-42501 | 65226 |
Unnecessary read permissions within the Gamma role would allow authen… |
|
MEDIUM | 4.3 |
| PVE-2023-59076 | 59076 |
Apache-superset 2.1.0 includes a fix for an XSS vulnerability. https… |
|
- | - |
| CVE-2023-39265 | 65000 |
Apache Superset would allow for SQLite database connections to be inc… |
|
MEDIUM | 6.5 |
| CVE-2023-36388 | 64998 |
Improper REST API permission in Apache Superset up to and including 2… |
|
MEDIUM | 5.4 |
| CVE-2023-36387 | 65024 |
An improper default REST API permission for Gamma users in Apache Sup… |
|
MEDIUM | 5.4 |
| CVE-2023-27523 | 62898 |
Improper data authorization check on Jinja templated queries in Apach… |
|
MEDIUM | 4.3 |
| CVE-2023-39264 | 64999 |
By default, stack traces for errors were enabled, which resulted in t… |
|
MEDIUM | 4.3 |
| CVE-2023-27526 | 62904 |
A non Admin authenticated user could incorrectly create resources usi… |
|
MEDIUM | 4.3 |
| PVE-2023-52798 | 52798 |
Apache-superset 2.0.1 improves SafeMarkdown HTML sanitization to prev… |
|
- | - |
| PVE-2023-52807 | 52807 |
Apache-superset 2.0.1 disables HTML rendering in Toast by default. h… |
|
- | - |
| CVE-2023-27525 | 62902 |
An authenticated user with Gamma role authorization could have access… |
|
MEDIUM | 4.3 |
| CVE-2023-25504 | 62896 |
A malicious actor who has been authenticated and granted specific per… |
|
MEDIUM | 6.5 |
| CVE-2023-27524 | 62900 |
Session Validation attacks in Apache Superset versions up to and incl… |
|
CRITICAL | 9.8 |
| CVE-2023-37941 | 61038 |
Apache-superset 2.1.1 includes a fix for CVE-2023-37941: If an attack… |
|
MEDIUM | 6.6 |
| CVE-2023-30776 | 64173 |
An authenticated user with specific data permissions could access dat… |
|
MEDIUM | 6.5 |
| CVE-2020-28477 | 41791 |
Apache-superset 1.2.0 updates NPM packages for security fixes. https… |
|
HIGH | 7.5 |
| CVE-2021-3807 | 45803 |
Apache-superset 1.2.0 updates NPM packages for security fixes. https… |
|
HIGH | 7.5 |
| PVE-2021-41203 | 41203 |
Apache-superset 1.0.0 applies owners security validation. It was miss… |
|
HIDDEN | X.Y |
| PVE-2021-38193 | 38193 |
Apache-superset 0.9.1 improved its security: Gamma role sees only its… |
|
- | - |
| CVE-2020-13948 | 38793 |
Apache-superset 0.37.1 includes a fix for CVE-2020-13948: While inves… |
|
HIGH | 8.8 |
| PVE-2021-39473 | 39473 |
Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). Thi… |
|
- | - |
| PVE-2021-39474 | 39474 |
Apache-superset 0.37.0 includes various security-related improvements… |
|
- | - |
| CVE-2019-16769 | 44577 |
Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascri… |
|
MEDIUM | 5.4 |
| CVE-2019-16772 | 44578 |
Apache-superset 0.36.0 updates its NPM dependency 'serialize-javascri… |
|
MEDIUM | 6.1 |
| CVE-2017-18869 | 42732 |
Apache-superset 0.36.0 updates its NPM dependency 'chownr' to v1.1.1 … |
|
LOW | 2.5 |
| PVE-2021-39475 | 39475 |
Apache-superset 0.36.0 filters out markdown containing XSS. https://… |
|
HIDDEN | X.Y |
| CVE-2019-12408 | 39476 |
Apache-superset 0.35.2 bumps packages with security vulnerabilities (… |
|
HIGH | 7.5 |
| CVE-2020-26870 | 39477 |
Apache-superset 0.35.1 updates its dependency 'dompurify' to v2.0.7 t… |
|
MEDIUM | 6.1 |
| PVE-2021-39478 | 39478 |
Apache-superset 0.35.0 adds security for restricted metrics (#8175). |
|
- | - |
| CVE-2020-1932 | 54193 |
An information disclosure issue was found in Apache Superset 0.34.0, … |
|
MEDIUM | 6.5 |
| CVE-2019-11324 | 45812 |
Apache-superset 0.34.0 updates its dependency 'urllib3' to v1.24.3 to… |
|
HIGH | 7.5 |
| CVE-2017-18342 | 45811 |
Apache-superset 0.34.0 updates its dependency 'pyyaml' to v5.1 to inc… |
|
CRITICAL | 9.8 |
| CVE-2018-20060 | 45814 |
Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to … |
|
CRITICAL | 9.8 |
| CVE-2019-10906 | 39479 |
Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to … |
|
HIGH | 8.6 |
| CVE-2019-10906 | 45813 |
Apache-superset 0.34.0 updates its dependency 'jinja2' to v2.10.1 to … |
|
HIGH | 8.6 |
| PVE-2021-39481 | 39481 |
Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security re… |
|
- | - |
| PVE-2021-39480 | 39480 |
Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB m… |
|
- | - |
| PVE-2021-39482 | 39482 |
Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7… |
|
- | - |
| PVE-2021-39483 | 39483 |
Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6… |
|
- | - |
| PVE-2021-39484 | 39484 |
Apache-superset 0.29.0rc8 secures unsecured views and prevent regress… |
|
- | - |
| PVE-2021-39485 | 39485 |
Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#… |
|
- | - |
| PVE-2021-39488 | 39488 |
Apache-superset 0.25.0 refactors security code into SupersetSecurityM… |
|
- | - |
| CVE-2023-32672 | 64672 |
An Incorrect authorisation check in SQLLab in Apache Superset version… |
|
MEDIUM | 4.3 |
| PVE-2021-41794 | 41794 |
Apache-superset version 0.17.5 adds a csrf_token api endpoint. |
|
- | - |
| CVE-2021-37839 | 54418 |
Apache Superset up to 1.5.1 allowed for authenticated users to access… |
|
MEDIUM | 4.3 |
| CVE-2022-27479 | 54435 |
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart … |
|
CRITICAL | 9.8 |
| CVE-2021-44451 | 54171 |
Apache Superset up to and including 1.3.2 allowed for registered data… |
|
MEDIUM | 6.5 |
| PVE-2021-39494 | 39494 |
Apache-superset 0.14.0 improves the security scheme (#1587). |
|
- | - |
| CVE-2021-41972 | 54371 |
Apache Superset up to and including 1.3.1 allowed for database connec… |
|
MEDIUM | 6.5 |
| CVE-2021-42250 | 54375 |
Improper output neutralization for Logs. A specific Apache Superset H… |
|
MEDIUM | 6.5 |
| CVE-2021-41971 | 54351 |
Apache Superset up to and including 1.3.0 when configured with ENABLE… |
|
HIGH | 8.8 |
| CVE-2021-32609 | 54353 |
Apache Superset up to and including 1.1 does not sanitize titles corr… |
|
MEDIUM | 5.4 |
| CVE-2021-28125 | 54265 |
Apache Superset prior to 1.1.0 allowed for the creation of an externa… |
|
MEDIUM | 6.1 |
| CVE-2021-27907 | 54300 |
Apache Superset up to and including 0.38.0 allowed the creation of a … |
|
MEDIUM | 5.4 |
| CVE-2020-13952 | 54228 |
In the course of work on the open source project it was discovered th… |
|
HIGH | 8.1 |
| PVE-2024-99801 | 66014 |
The vulnerability threatens the security of apache-superset before 0.… |
|
- | - |
| PVE-2024-99799 | 66016 |
Apache-superset versions before 0.34.0 are vulnerable to Cross-site S… |
|
- | - |
| PVE-2024-99797 | 66018 |
Cross-site Scripting (XSS) vulnerabilities have been detected in vers… |
|
- | - |
| PVE-2024-99800 | 66015 |
Apache Superset versions before 0.34.0 are susceptible to a Cross-sit… |
|
- | - |
| CVE-2019-12414 | 54140 |
In Apache Incubator Superset before 0.32, a user can view database na… |
|
MEDIUM | 5.3 |
| CVE-2019-12413 | 54144 |
In Apache Incubator Superset before 0.31 user could query database me… |
|
MEDIUM | 5.3 |