CVE-2022-45438

MEDIUM

Apache Superset < 1.5.2 - Exposure to Wrong Actor

Title source: rule

Description

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9

Scores

CVSS v3 5.3

EPSS 0.0324

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (5)

apache/superset < 1.5.2

apache/superset

pypi/apache-superset PyPI

Timeline

Published Jan 16, 2023

Tracked Since Feb 18, 2026