Superset Vulnerabilities

This vulnerability allows an authenticated user with access to SQLLab in Apache Superset to bypass restrictions and execute unauthorized data manipulation commands on a PostgreSQL database, even though the system is supposed to prevent such actions. To exploit this, the attacker must have valid credentials and access to the SQLLab feature before the software is updated to version 6.0.0, which fixes the issue.

This vulnerability allows authenticated users with low privileges to access sensitive information, such as password hashes and email addresses, through a specific API endpoint in Apache Superset. To exploit this, the tagging feature must be enabled, which is not the default setting, but users should upgrade to version 6.0.0 to fully protect against this risk.

This vulnerability allows a low-privileged user to access unauthorized data by manipulating existing datasets in Apache Superset. An attacker needs to have permission to create datasets and read charts, which lets them overwrite SQL queries and bypass data access controls.

This vulnerability allows an authenticated user with read access to manipulate SQL queries, potentially exposing sensitive data or causing errors in the database. It affects versions of Apache Superset prior to 6.0.0, so users should upgrade to this version to fix the issue.

This vulnerability allows an attacker to execute potentially harmful SQL functions in Apache Superset when using the ClickHouse database, due to an incomplete list of restricted functions. To exploit this, the attacker needs access to SQL Lab or charts in a version of Superset prior to 4.1.2.

An attacker can gain unauthorized access to sensitive resources in Apache Superset if the default SECRET_KEY hasn't been changed, allowing them to manipulate session cookies. This vulnerability only affects installations that haven't followed the setup instructions to configure a unique SECRET_KEY.