4.3

CVE-2024-27315

EPSS 0.1%
Published 28.02.2024 10:15:09
Last modified 31.12.2024 16:16:15
Source security@apache.org
Teams watchlist Login
Open Login

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.


This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Superset Version < 3.0.4

Apache ≫ Superset Version >= 3.1.0 < 3.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.28

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security@apache.org	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/02/28/3

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-27315

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27315

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27315

EUVD