CVE-2023-42502

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
apacheCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
apachesuperset
𝑥
< 3.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn
https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn