SCA: security update for apache-superset (GHSA-77pw-c3j2-5fc8)

high Tenable Cloud Security Plugin ID 411911

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the course of work on the open source project it was discovered that authenticated users running
queries against Hive and Presto database engines could access information via a number of templated fields
including the contents of query description metadata database, the hashed version of the authenticated
users’ password, and access to connection information including the plaintext password for the current
connection. It would also be possible to run arbitrary methods on the database connection object for the
Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This
vulnerability is present in every Apache Superset version < 0.37.2. (CVE-2020-13952)

See Also

https://github.com/advisories/GHSA-77pw-c3j2-5fc8

Plugin Details

Severity: High

ID: 411911

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2020-13952

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 6.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/30/2021

Vulnerability Publication Date: 9/30/2020

Reference Information

CVE: CVE-2020-13952

cwe: CWE-200