CVE-2023-42502

low-risk
Published 2023-11-28

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Apache

References (2)

Mailing List https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn
Mailing List https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn
24
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal