Home > Vulnerability Database > CVE-2020-13952

Mend.io Vulnerability Database

CVE-2020-13952

Good to know:

Date: October 16, 2020

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.

Language: Python

Severity Score

9.8

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-13952

Url: https://lists.apache.org/thread.html/rf1faa368f580d2cb691576bee1277855f769667f3114d5df1dacbea6%40%3Cdev.superset.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2020-13952

Severity Score

9.8

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version apache-superset - 0.37.2

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	10.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-13952

Good to know:

Date: October 16, 2020

Language: Python

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?