mirror of
https://github.com/apache/superset.git
synced 2026-05-23 00:36:01 +00:00
4266d36cf4
Snapshots all four versioned Docusaurus sections at v6.1.0, cut from master after the version-cutting tooling (#39837) and broken-internal- links fixes (#40102) landed. Captures fresh auto-generated content and freezes data dependencies so the historical snapshot stays correct. Versioning behavior: lastVersion stays at current for every section, so the canonical URLs (/docs/..., /admin-docs/..., /developer-docs/..., /components/...) continue to render content from master. The current version is consistently labeled "Next" with an unreleased banner, and 6.1.0 is a historical pin accessible only via its explicit version segment. Component playground: previously disabled: true in versions-config.json, now enabled and versioned. The plugin block in docusaurus.config.ts was already gated only by the disabled flag, so no other code changes were needed to bring it back online. Snapshot includes: - All MDX content for the four sections. - Auto-gen captured fresh: 74 database pages (engine spec metadata), ~1,800 API reference files (openapi.json), 59 component pages (Storybook stories). - Data imports frozen at cut time into snapshot-local _versioned_data/ dirs: versioned_docs/version-6.1.0/_versioned_data/src/data/databases.json (canonical 80-database diagnostics from master, preserved by the generator's input-hash cache) admin_docs_versioned_docs/version-6.1.0/_versioned_data/data/countries.json admin_docs_versioned_docs/version-6.1.0/_versioned_data/static/feature-flags.json developer_docs_versioned_docs/version-6.1.0/_versioned_data/static/data/components.json - Import paths in deeply-nested files rewritten so they still resolve from one directory deeper inside the snapshot. Verified via full yarn build: exit 0, no broken links surfaced by onBrokenLinks: throw. Anchor warnings present are pre-existing on master (community#superset-community-calendar) and unrelated.
141 lines
9.3 KiB
Plaintext
141 lines
9.3 KiB
Plaintext
---
|
|
title: CVEs fixed by release
|
|
sidebar_position: 2
|
|
---
|
|
#### Version 6.0.0
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------------|---------:|
|
|
| CVE-2026-23980 | Improper Neutralization of Special Elements used in a SQL Command | < 6.0.0 |
|
|
| CVE-2026-23982 | Improper Authorization in Dataset Creation Allows Access Control Bypass | < 6.0.0 |
|
|
| CVE-2026-23983 | Information Disclosure of sensitive user info via Tags | < 6.0.0 |
|
|
| CVE-2026-23984 | SQLLab Read-Only Bypass on PostgreSQL (DML execution) | < 6.0.0 |
|
|
|
|
#### Version 5.0.0
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------------|---------:|
|
|
| CVE-2025-55673 | Exposure of Sensitive Information to an Unauthorized Actor | < 5.0.0 |
|
|
| CVE-2025-55674 | Improper Neutralization of Special Elements used in an SQL Command | < 5.0.0 |
|
|
| CVE-2025-55675 | Improper Access Control leading to Information Disclosure | < 5.0.0 |
|
|
|
|
#### Version 4.1.3
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------------|---------:|
|
|
| CVE-2025-55672 | Improper Neutralization of Input During Web Page Generation | < 4.1.3 |
|
|
|
|
#### Version 4.1.2
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------------|---------:|
|
|
| CVE-2025-27696 | Improper authorization leading to resource ownership takeover | < 4.1.2 |
|
|
| CVE-2025-48912 | Improper authorization bypass on row level security via SQL Injection | < 4.1.2 |
|
|
| CVE-2026-23969 | Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering | < 4.1.2 |
|
|
|
|
#### Version 4.1.0
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------------|---------:|
|
|
| CVE-2024-53947 | Improper SQL authorisation, parse for specific postgres functions | < 4.1.0 |
|
|
| CVE-2024-53948 | Error verbosity exposes metadata in analytics databases | < 4.1.0 |
|
|
| CVE-2024-53949 | Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled | < 4.1.0 |
|
|
| CVE-2024-55633 | SQLLab Improper readonly query validation allows unauthorized write access | < 4.1.0 |
|
|
|
|
#### Version 4.0.2
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:----------------------------|---------:|
|
|
| CVE-2024-39887 | Improper SQL authorization | < 4.0.1 |
|
|
|
|
#### Version 3.1.3, 4.0.1
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:----------------------------|----------------------------:|
|
|
| CVE-2024-34693 | Server arbitrary file read | < 3.1.3, >= 4.0.0, < 4.0.1 |
|
|
|
|
#### Version 3.1.2
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:--------------------------------------------------------|---------:|
|
|
| CVE-2024-28148 | Incorrect datasource authorization on explore REST API | < 3.1.2 |
|
|
|
|
#### Version 3.0.4, 3.1.1
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:-----------------------------------------------------------------------------|----------------------------:|
|
|
| CVE-2024-27315 | Improper error handling on alerts | < 3.0.4, >= 3.1.0, < 3.1.1 |
|
|
| CVE-2024-24773 | Improper validation of SQL statements allows for unauthorized access to data | < 3.0.4, >= 3.1.0, < 3.1.1 |
|
|
| CVE-2024-24772 | Improper Neutralisation of custom SQL on embedded context | < 3.0.4, >= 3.1.0, < 3.1.1 |
|
|
| CVE-2024-24779 | Improper data authorization when creating a new dataset | < 3.0.4, >= 3.1.0, < 3.1.1 |
|
|
| CVE-2024-26016 | Improper authorization validation on dashboards and charts import | < 3.0.4, >= 3.1.0, < 3.1.1 |
|
|
|
|
#### Version 3.0.3
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:----------------------------------------------|---------:|
|
|
| CVE-2023-49657 | Stored XSS in Dashboard Title and Chart Title | < 3.0.3 |
|
|
|
|
#### Version 3.0.2, 2.1.3
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------|---------------------------:|
|
|
| CVE-2023-46104 | Allows for uncontrolled resource consumption via a ZIP bomb | < 2.1.3, >= 3.0.0, < 3.0.2 |
|
|
| CVE-2023-49736 | SQL Injection on where_in JINJA macro | < 2.1.3, >= 3.0.0, < 3.0.2 |
|
|
| CVE-2023-49734 | Privilege Escalation Vulnerability | < 2.1.3, >= 3.0.0, < 3.0.2 |
|
|
|
|
#### Version 3.0.0
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------------------|---------:|
|
|
| CVE-2023-42502 | Open Redirect Vulnerability | < 3.0.0 |
|
|
| CVE-2023-42505 | Sensitive information disclosure on db connection details | < 3.0.0 |
|
|
|
|
#### Version 2.1.3
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------------------|---------:|
|
|
| CVE-2023-42504 | Lack of rate limiting allows for possible denial of service | < 2.1.3 |
|
|
|
|
#### Version 2.1.2
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------------------|---------:|
|
|
| CVE-2023-40610 | Privilege escalation with default examples database | < 2.1.2 |
|
|
| CVE-2023-42501 | Unnecessary read permissions within the Gamma role | < 2.1.2 |
|
|
| CVE-2023-43701 | Stored XSS on API endpoint | < 2.1.2 |
|
|
|
|
#### Version 2.1.1
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------------------|---------:|
|
|
| CVE-2023-36387 | Improper API permission for low privilege users | < 2.1.1 |
|
|
| CVE-2023-36388 | Improper API permission for low privilege users allows for SSRF | < 2.1.1 |
|
|
| CVE-2023-27523 | Improper data permission validation on Jinja templated queries | < 2.1.1 |
|
|
| CVE-2023-27526 | Improper Authorization check on import charts | < 2.1.1 |
|
|
| CVE-2023-39264 | Stack traces enabled by default | < 2.1.1 |
|
|
| CVE-2023-39265 | Possible Unauthorized Registration of SQLite Database Connections | < 2.1.1 |
|
|
| CVE-2023-37941 | Metadata db write access can lead to remote code execution | < 2.1.1 |
|
|
| CVE-2023-32672 | SQL parser edge case bypasses data access authorization | < 2.1.1 |
|
|
|
|
#### Version 2.1.0
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------------------|---------:|
|
|
| CVE-2023-25504 | Possible SSRF on import datasets | < 2.1.0 |
|
|
| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | < 2.1.0 |
|
|
| CVE-2023-27525 | Incorrect default permissions for Gamma role | < 2.1.0 |
|
|
| CVE-2023-30776 | Database connection password leak | < 2.1.0 |
|
|
|
|
#### Version 2.0.1
|
|
|
|
| CVE | Title | Affected |
|
|
|:---------------|:------------------------------------------------------------|------------------: |
|
|
| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-43717 | Cross-Site Scripting on dashboards | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-43720 | Improper rendering of user input | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-43721 | Open Redirect Vulnerability | < 2.0.1 or < 1.5.2 |
|
|
| CVE-2022-45438 | Dashboard metadata information leak | < 2.0.1 or < 1.5.2 |
|