CVE-2025-55673
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | superset | to 4.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Apache Superset versions before 4.1.3, where a guest user accessing a chart receives an API response from the /chart/data endpoint that includes a 'query' field. This field improperly exposes the underlying database query, revealing sensitive database schema information such as table names to low-privileged guest users.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of database schema information to guest users with low privileges. This exposure can aid attackers in understanding the database structure, potentially facilitating further attacks or data breaches.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Superset to version 4.1.3 or later, which fixes the issue of improper disclosure of database schema information to guest users.