CVE-2021-41972: Apache Superset allowed for database connections password leak for authenticated users

May 24, 2022 (updated November 18, 2024)

Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.

References

github.com/advisories/GHSA-42q4-9xf9-f67x
github.com/apache/superset
github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-434.yaml
lists.apache.org/thread/xpdl2r538o695o7r9gd9qrwqb17bdd3v
nvd.nist.gov/vuln/detail/CVE-2021-41972
seclists.org/oss-sec/2021/q4/106

Code Behaviors & Features

Detect and mitigate CVE-2021-41972 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →