Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp432765lqh; Tue, 7 May 2024 03:52:48 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVRYB81H09HEhKT/siWOJWFfrvTz72keFOGuwVVemfZ1GCop92nj5xz74do5NlmVRlBTD32w9m7Sb137s5GNSGr1zrfrqQf1V1Vc7FEiA== X-Google-Smtp-Source: AGHT+IEnS5bQ9BzMDdeSvNVWetX3pBLU/4SQNIRakkILkedt0Xuos6PM+XprnNUfck17Z6LD+6KY X-Received: by 2002:a67:ee09:0:b0:47e:f02f:83f2 with SMTP id f9-20020a67ee09000000b0047ef02f83f2mr14699570vsp.24.1715079167743; Tue, 07 May 2024 03:52:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715079167; cv=none; d=google.com; s=arc-20160816; b=a3HDyQjSKBFKSsgRlzCvJPIh16S+LTMhw03KlbSqcoM3sOfTvutNmUqwJ8YgktJ7Ui NdLLNoocmMqdfBW3tgkYnBQonFpV1hAJfeJBlFCgy3UMSGn2oBI/4CzVDrAJfApuaRdD 9o4iWWbfMDzChlpHDr8Vra3NvusRigjEnlpT/8rgAmsLArofAIGSVpKjs66UbgnnLBtd +xv/+NbqvFVF31WIms9ne9uwKR67+unIqUWOydytifaqY2oKsx3OZyrJShBvH8t5rSog VDgOhP19JEPBwivS3AHPHeKt+NufsnCFr+QDMSbSg5E6+/eQb62ubAhQkk9qYHx8UxHq qUtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:date:content-transfer-encoding:message-id:to :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=+jSZuwAf8zrdhvV2FbxNKT7Csgzqk/kUEqq6obpBtsE=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=qv1FRImRNkqxZaCNU/21bLAWZrh8cPGSwpq/l96YHAuT1aQJ8kWPAPmAc4TrrjRI2v v1V5lQtVF88hONpyM7ZtmxdbySB/24bHS0SZ9yddo4q+HJJrEsUhD+5bdF/PVR7nQNFm 1rqSyIU7YoO25a7FALDKroeSn7ZQcGUBEs43Xv1Ots8QXYPGtQkHHYgo18/PBPSckeRO /SuBf/wMl1tPfSqxA2jw4Zw3925hx7AbmmWLfSOSgy3jb5SsIb5avEsXig6L/dlBg5d9 IB8BIGAWtFV9ShQtOo53XXI6kWrF0mJ6EDc2DZCKYihycKMkz/Dcc9xw143k08h1KEGh ng/g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30125-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30125-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 11-20020a0562140d4b00b006a0b52817cfsi11450922qvr.361.2024.05.07.03.52.47 for ; Tue, 07 May 2024 03:52:47 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30125-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30125-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30125-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 27696 invoked by uid 550); 7 May 2024 10:49:37 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 30276 invoked from network); 7 May 2024 08:54:38 -0000 Authentication-Results: apache.org; auth=none Content-Type: text/plain; charset=utf-8 From: Daniel Gaspar To: oss-security@lists.openwall.com Message-ID: Content-Transfer-Encoding: quoted-printable Date: Tue, 07 May 2024 08:54:03 +0000 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-28148: Apache Superset: Incorrect datasource authorization on explore REST API Affected versions: - Apache Superset before 4.0.0 Description: An authenticated user could potentially access metadata for a datasource = they are not authorized to view by submitting a targeted REST API request.= This issue affects Apache Superset: before 4.0.0. Users are recommended to upgrade to version 4.0.0, which fixes the issue. Credit: Daniel Pedro Vaz Gaspar (remediation developer) Krishna Nadh (finder) References: https://superset.apache.org https://www.cve.org/CVERecord?id=3DCVE-2024-28148