{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39264", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-07-26T15:04:49.327Z", "datePublished": "2023-09-06T12:58:59.791Z", "dateUpdated": "2024-09-26T15:23:54.656Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Segovia Gil"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">This vulnerability exists </span>in Apache Superset versions up to and including 2.1.0."}], "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-06T12:58:59.791Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Stack traces enabled by default", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.790Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T14:48:40.133061Z", "id": "CVE-2023-39264", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T15:23:54.656Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.790Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T14:48:40.133061Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T15:23:50.492Z"}}], "cna": {"title": "Apache Superset: Stack traces enabled by default", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Miguel Segovia Gil"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Superset", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0.", "supportingMedia": [{"type": "text/html", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">This vulnerability exists </span>in Apache Superset versions up to and including 2.1.0.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-06T12:58:59.791Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39264", "state": "PUBLISHED", "dateUpdated": "2024-09-26T15:23:54.656Z", "dateReserved": "2023-07-26T15:04:49.327Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-09-06T12:58:59.791Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5C7318E-1118-457F-A2BC-8B9400AE7C3C", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.\u00a0This vulnerability exists in Apache Superset versions up to and including 2.1.0."}, {"lang": "es", "value": "De forma predeterminada, se habilitaron los traces de memoria para errores, lo que result\u00f3 en la exposici\u00f3n de los seguimientos internos en los endpoints de la API REST para los usuarios. Esta vulnerabilidad existe en las versiones de Apache Superset hasta la versi\u00f3n 2.1.0 incluida. "}], "id": "CVE-2023-39264", "lastModified": "2024-11-21T08:15:00.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@apache.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-06T13:15:08.927", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{}