This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 251ce2ed2a docs: add CVEs for 2.1.1 (#25206)
251ce2ed2a is described below
commit 251ce2ed2a79cfa2ef683d0e2f460b44844a1dcd
Author: Daniel Vaz Gaspar <[email protected]>
AuthorDate: Wed Sep 6 15:39:14 2023 +0100
docs: add CVEs for 2.1.1 (#25206)
---
docs/docs/security/cves.mdx | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/docs/docs/security/cves.mdx b/docs/docs/security/cves.mdx
index 148af09c54..9577650537 100644
--- a/docs/docs/security/cves.mdx
+++ b/docs/docs/security/cves.mdx
@@ -4,20 +4,34 @@ hide_title: true
sidebar_position: 2
---
+#### Version 2.1.1
+
+| CVE | Title
| Affected |
+|:---------------|:------------------------------------------------------------------------|---------:|
+| CVE-2023-36387 | Improper API permission for low privilege users
| < 2.1.1 |
+| CVE-2023-36388 | Improper API permission for low privilege users allows for
SSRF | < 2.1.1 |
+| CVE-2023-27523 | Improper data permission validation on Jinja templated
queries | < 2.1.1 |
+| CVE-2023-27526 | Improper Authorization check on import charts
| < 2.1.1 |
+| CVE-2023-39264 | Stack traces enabled by default
| < 2.1.1 |
+| CVE-2023-39265 | Possible Unauthorized Registration of SQLite Database
Connections | < 2.1.1 |
+| CVE-2023-37941 | Metadata db write access can lead to remote code execution
| < 2.1.1 |
+| CVE-2023-32672 | SQL parser edge case bypasses data access authorization
| < 2.1.1 |
+
+
#### Version 2.1.0
-| CVE | Title
| Affected |
-| :------------- |
:---------------------------------------------------------------------- |
-----------------:|
-| CVE-2023-25504 | Possible SSRF on import datasets
| <= 2.1.0 |
-| CVE-2023-27524 | Session validation vulnerability when using provided
default SECRET_KEY | <= 2.1.0 |
-| CVE-2023-27525 | Incorrect default permissions for Gamma role
| <= 2.1.0 |
-| CVE-2023-30776 | Database connection password leak
| <= 2.1.0 |
+| CVE | Title
| Affected |
+|:---------------|:------------------------------------------------------------------------|---------:|
+| CVE-2023-25504 | Possible SSRF on import datasets
| < 2.1.0 |
+| CVE-2023-27524 | Session validation vulnerability when using provided
default SECRET_KEY | < 2.1.0 |
+| CVE-2023-27525 | Incorrect default permissions for Gamma role
| < 2.1.0 |
+| CVE-2023-30776 | Database connection password leak
| < 2.1.0 |
#### Version 2.0.1
-| CVE | Title
| Affected |
-| :------------- | :----------------------------------------------------------
| -----------------:|
+| CVE | Title
| Affected |
+|:---------------|:------------------------------------------------------------|------------------:|
| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses
| < 2.0.1 or <1.5.2 |
| CVE-2022-43717 | Cross-Site Scripting on dashboards
| < 2.0.1 or <1.5.2 |
| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms
| < 2.0.1 or <1.5.2 |
