An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.

This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected Packages

PyPI apache-superset

Affected versions: 0 (fixed in 3.0.4)

PyPI apache-superset

Affected versions: 3.1.0 (fixed in 3.1.1)

Related CVEs

CVE-2024-27315

Key Information

GHSA ID

GHSA-h7r6-8qmm-hj5r

Published

February 28, 2024 12:30 PM

Last Modified

October 3, 2024 6:06 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.