GSD-2022-43721
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-43721",
"id": "GSD-2022-43721"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-43721"
],
"details": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
"id": "GSD-2022-43721",
"modified": "2023-12-13T01:19:31.922287Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-43721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Superset",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.0.0"
},
{
"version_affected": "=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Vladimir Razov (Positive Technologies)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-601",
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.5.2||==2.0.0",
"affected_versions": "All versions up to 1.5.2, version 2.0.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-601",
"CWE-937"
],
"date": "2023-01-24",
"description": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
"fixed_versions": [
"1.5.3",
"2.0.1"
],
"identifier": "CVE-2022-43721",
"identifiers": [
"CVE-2022-43721",
"GHSA-fcg4-pm6h-9xx2"
],
"not_impacted": "All versions after 1.5.2 before 2.0.0, all versions after 2.0.0",
"package_slug": "pypi/apache-superset",
"pubdate": "2023-01-16",
"solution": "Upgrade to versions 1.5.3, 2.0.1 or above.",
"title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-43721",
"https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg",
"https://github.com/advisories/GHSA-fcg4-pm6h-9xx2"
],
"uuid": "566148d6-f91f-4024-85fa-aa31b22ab306"
},
{
"affected_range": "\u003c=1.5.2||==2.0.0",
"affected_versions": "All versions up to 1.5.2, version 2.0.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-601",
"CWE-937"
],
"date": "2023-01-24",
"description": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.",
"fixed_versions": [],
"identifier": "CVE-2022-43721",
"identifiers": [
"CVE-2022-43721"
],
"not_impacted": "",
"package_slug": "pypi/superset",
"pubdate": "2023-01-16",
"solution": "Unfortunately, there is no solution available yet.",
"title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-43721",
"https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg"
],
"uuid": "0909b926-19d2-4939-9f9e-00fd6719c7d5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.5.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-43721"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg",
"refsource": "MISC",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-01-24T16:06Z",
"publishedDate": "2023-01-16T11:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…