CVE-2022-41703

moderate-risk
Published 2023-01-16

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Do I need to act?

~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Apache

References (2)

Mailing List https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos
Mailing List https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos
35
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 4/34 · Minimal
Exposure 10/34 · Low