MaxCou opened a new issue #6369: Dashboard list source code leaking the entire list of users (through "Owners" filter) URL: https://github.com/apache/incubator-superset/issues/6369 Make sure these boxes are checked before submitting your issue - thank you! - [X] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [X] I have reproduced the issue with at least the latest released version of superset. - [X] I have checked the issue tracker for the same issue and I haven't found one similar. ### Superset version 0.28.1 ### Expected results Source code of the Dashboard list containing the owner of the viewable dashboards only. ### Actual results The source of the dashboard list webpages leaks all users created (because of the filter called "Owners"), regardless of the role assigned to the logged in user. That vulnerability might be exploited by an attacker to extract the list of all users in a multi-tenancy instance of Superset, for example. ### Steps to reproduce Visit any dashboard list webpage, open the "page source" and find the list of all users under the section "new AdminFilters". You can alternatively find that list by selecting the filter "Owners" and clicking on the "select value" field.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
