Apache Superset Vulnerabilities: Addressing Stored XSS, Privilege Escalation, and Unnecessary Read Permissions

Apache Superset, a popular open-source data visualization and exploration platform, has recently been identified as harboring three critical security vulnerabilities. These vulnerabilities pose a significant risk to organizations that rely on Apache Superset to analyze and visualize their data.

CVE-2023-43701: Stored Cross-Site Scripting (XSS)

The first vulnerability, CVE-2023-43701, is a stored cross-site scripting (XSS) flaw that could allow an attacker to inject malicious code into Apache Superset’s metadata. This malicious code could then be executed when a user accesses a specific deprecated API endpoint. This vulnerability affects Apache Superset versions prior to 2.1.2.

CVE-2023-40610: Privilege Escalation

The second vulnerability, CVE-2023-40610, is a privilege escalation vulnerability that could allow an attacker to gain unauthorized access to sensitive data. This vulnerability is caused by an improper authorization check in Apache Superset versions up to but excluding 2.1.2.

CVE-2023-42501: Unnecessary Read Permissions

The third vulnerability, CVE-2023-42501, grants unnecessary read permissions to the Gamma role. This vulnerability could allow attackers to read configured CSS templates and annotations. This vulnerability affects Apache Superset versions prior to 2.1.2.

Remediation and Mitigation

To address these vulnerabilities, Apache Superset recommends that users upgrade to version 2.1.2 or above. Additionally, users should run the superset init command to reconstruct the Gamma role or remove the can_read permission from the mentioned resources.