CVE-2023-42505: Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability

November 28, 2023 (updated February 13, 2025)

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection’s username.

This issue affects Apache Superset before 3.0.0.

References

github.com/advisories/GHSA-fgpw-4w69-j256
github.com/apache/superset
lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y
nvd.nist.gov/vuln/detail/CVE-2023-42505

Code Behaviors & Features

Detect and mitigate CVE-2023-42505 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →