Apache Superset Vulnerability Let Attackers Takeover Resource Ownership
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Apache Superset, the popular open-source data visualization and business intelligence platform, has been found to have a significant security vulnerability.
The vulnerability, CVE-2025-27696, allows authenticated users with read permissions to take over ownership of dashboards, charts, and datasets through improper authorization checks.
Security experts recommend immediate updates as this flaw potentially compromises data integrity and access controls in affected deployments.
Apache Superset Vulnerability
The vulnerability was publicly disclosed on Monday, May 12, 2025, by Daniel Gaspar, a core developer of the Apache Superset project, through a security advisory posted to the project’s mailing list.
According to the National Vulnerability Database (NVD), this improper authorization issue affects all Apache Superset versions through 4.1.1.
The official advisory states, “Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts, or datasets by authenticated users with read permissions. ”
The security flaw permits users with minimal access rights to elevate their privileges and claim ownership of critical data visualization resources.
The technical details reveal a fundamental access control issue in Superset’s permission model.
When an authenticated user with basic read permissions sends specifically crafted requests to the application’s API endpoints, they can manipulate resource ownership attributes, effectively bypassing intended authorization controls.
This vulnerability is particularly concerning for organizations using Apache Superset in multi-tenant environments where strict data segregation is essential.
Apache Superset has recently gained significant popularity as a comprehensive data exploration and visualization platform.
The software allows users to create interactive dashboards and analyze complex data across numerous sources.
Released in November 2024, version 4.1 introduced several enhancements, including database catalog support, improved upload forms, and Slack integration, making it widely adopted across enterprises.
The vulnerability was discovered by security researcher João Marono, with Daniel Gaspar developing the remediation.
Risk Factors Details Affected ProductsApache Superset versions ≤ 4.1.1ImpactCompromises confidentiality, integrity, and availability of dashboards, charts, and datasetsExploit PrerequisitesRequires authenticated user with read permissions
Remediation
The Apache Superset team has addressed the issue in version 4.1.2, which was released shortly after the vulnerability disclosure. The release candidate for this version had been in testing prior to the public announcement.
Security experts classify this vulnerability as critical due to its potential impact on data governance and access control.
Organizations using Apache Superset for sensitive data analysis could be particularly exposed if malicious users exploit this vulnerability to gain unauthorized access to proprietary dashboards and datasets.
The Apache Software Foundation strongly recommends that all users upgrade to Apache Superset version 4.1.2 or later immediately.
For organizations unable to update immediately, implementing additional access controls at the network or application level may provide temporary mitigation, though these measures are not considered complete fixes.
This incident follows other security concerns in Apache Superset, including previous vulnerabilities like CVE-2024-53949, which allowed lower privilege users to create roles due to improper authorization checks, highlighting the importance of maintaining updated deployments.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Apache Superset Vulnerability Let Attackers Takeover Resource Ownership
Author: KaaviyaApache Superset, the popular open-source data visualization and business intelligence platform, has been found to have a significant security vulnerability.
The vulnerability, CVE-2025-27696, allows authenticated users with read permissions to take over ownership of dashboards, charts, and datasets through improper authorization checks.
Security experts recommend immediate updates as this flaw potentially compromises data integrity and access controls in affected deployments.
Apache Superset Vulnerability
The vulnerability was publicly disclosed on Monday, May 12, 2025, by Daniel Gaspar, a core developer of the Apache Superset project, through a security advisory posted to the project’s mailing list.
According to the National Vulnerability Database (NVD), this improper authorization issue affects all Apache Superset versions through 4.1.1.
The official advisory states, “Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts, or datasets by authenticated users with read permissions. ”
The security flaw permits users with minimal access rights to elevate their privileges and claim ownership of critical data visualization resources.
The technical details reveal a fundamental access control issue in Superset’s permission model.
When an authenticated user with basic read permissions sends specifically crafted requests to the application’s API endpoints, they can manipulate resource ownership attributes, effectively bypassing intended authorization controls.
This vulnerability is particularly concerning for organizations using Apache Superset in multi-tenant environments where strict data segregation is essential.
Apache Superset has recently gained significant popularity as a comprehensive data exploration and visualization platform.
The software allows users to create interactive dashboards and analyze complex data across numerous sources.
Released in November 2024, version 4.1 introduced several enhancements, including database catalog support, improved upload forms, and Slack integration, making it widely adopted across enterprises.
The vulnerability was discovered by security researcher João Marono, with Daniel Gaspar developing the remediation.
Risk Factors Details Affected ProductsApache Superset versions ≤ 4.1.1ImpactCompromises confidentiality, integrity, and availability of dashboards, charts, and datasetsExploit PrerequisitesRequires authenticated user with read permissions
Remediation
The Apache Superset team has addressed the issue in version 4.1.2, which was released shortly after the vulnerability disclosure. The release candidate for this version had been in testing prior to the public announcement.
Security experts classify this vulnerability as critical due to its potential impact on data governance and access control.
Organizations using Apache Superset for sensitive data analysis could be particularly exposed if malicious users exploit this vulnerability to gain unauthorized access to proprietary dashboards and datasets.
The Apache Software Foundation strongly recommends that all users upgrade to Apache Superset version 4.1.2 or later immediately.
For organizations unable to update immediately, implementing additional access controls at the network or application level may provide temporary mitigation, though these measures are not considered complete fixes.
This incident follows other security concerns in Apache Superset, including previous vulnerabilities like CVE-2024-53949, which allowed lower privilege users to create roles due to improper authorization checks, highlighting the importance of maintaining updated deployments.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
