CVE-2023-42502
MEDIUMApache Superset < 3.0.0 - Authenticated Open Redirect via HTTP Host Header Spoofing
Title source: llmDescription
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.
References (1)
Core 1
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn
Scores
CVSS v3
4.8
EPSS
0.0009
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (2)
apache/superset
< 3.0.0
pypi/apache-superset
0 - 3.0.0PyPI
Published
Nov 28, 2023
Tracked Since
Feb 18, 2026