An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.

Affected Packages

PyPI apache-superset

Affected versions: 0 (fixed in 3.0.0)

Related CVEs

CVE-2023-42502

Key Information

GHSA ID

GHSA-hc74-9vjm-c9xv

Published

November 28, 2023 6:30 PM

Last Modified

December 5, 2023 9:56 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.