CVE-2020-1932
MEDIUMApache Superset 0.34.0-0.35.1 - Authenticated Information Disclosure via Undocumented API Endpoint
Title source: llmDescription
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r4e5323c3bc786005495311a6ff53ac6d990b2c7eb52941a1a13ce227%40%3Cdev.superset.apache.org%3E
Scores
CVSS v3
6.5
EPSS
0.0135
EPSS Percentile
68.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
Status
published
Products (5)
apache/superset
0.34.0
apache/superset
0.34.1
apache/superset
0.35.0
apache/superset
0.35.1
pypi/apache-superset
0.34.0 - 0.35.2PyPI
Published
Jan 28, 2020
Tracked Since
Feb 18, 2026