CVE-2022-43719

Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0	Mailing List Vendor Advisory
https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:superset::::::::
	cpe:2.3:a:apache:superset:2.0.0:-::::::
	cpe:2.3:a:apache:superset:2.0.0:rc1::::::
	cpe:2.3:a:apache:superset:2.0.0:rc2::::::

History

No history.

Information

Published : 2023-01-16 11:15

Updated : 2025-04-07 15:15

NVD link : CVE-2022-43719

Mitre link : CVE-2022-43719

CVE.ORG link : CVE-2022-43719

JSON object : View

Products Affected

apache

superset

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2022-43719", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-01-16T11:15:10.513", "references": [{"url": "https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n\n\n"}, {"lang": "es", "value": "Dos endpoints de API REST heredados para aprobaci\u00f3n y acceso a solicitudes son vulnerables a la Cross Site Request Forgery. Este problema afecta a Apache Superset versi\u00f3n 1.5.2 y versiones anteriores y a la versi\u00f3n 2.0.0."}], "lastModified": "2025-04-07T15:15:40.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD514249-ED9E-45F1-9D50-4A7CE6DB166B", "versionEndIncluding": "1.5.2"}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35CD3C6F-B3E0-437C-A1D7-EF700C76923C"}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADD3485B-3FFC-4B60-89F5-E4ECA0C680B6"}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC060A49-79ED-4539-9E68-EDB15D7F2445"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}