{"id":"GHSA-9832-mgg4-3gr6","summary":"Apache Superset has improper default REST API permission for Gamma users","details":"An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.\n","aliases":["BIT-superset-2023-36387","CVE-2023-36387"],"modified":"2025-02-05T09:11:42.452258Z","published":"2023-09-06T15:30:26Z","database_specific":{"severity":"MODERATE","nvd_published_at":"2023-09-06T13:15:08Z","github_reviewed_at":"2023-09-07T13:59:27Z","github_reviewed":true,"cwe_ids":["CWE-281","CWE-863","CWE-918"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36387"},{"type":"WEB","url":"https://github.com/apache/superset/pull/24185"},{"type":"PACKAGE","url":"https://github.com/apache/superset"},{"type":"WEB","url":"https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3"}],"affected":[{"package":{"name":"apache-superset","ecosystem":"PyPI","purl":"pkg:pypi/apache-superset"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.1.0"}]}],"versions":["0.34.0","0.34.1","0.35.1","0.35.2","0.36.0","0.37.0","0.37.1","0.37.2","0.38.0","0.38.1","1.0.0","1.0.1","1.1.0","1.2.0","1.3.0","1.3.1","1.3.2","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","2.0.0","2.0.1","2.1.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-9832-mgg4-3gr6/GHSA-9832-mgg4-3gr6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"}]}