Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.
Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Affected Packages

PyPI apache-superset

Affected versions: 0 (fixed in 2.1.2)

Related CVEs

CVE-2023-43701

Key Information

GHSA ID

GHSA-wq8q-99p5-xfrw

Published

November 27, 2023 12:30 PM

Last Modified

November 28, 2023 8:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.