CVE-2025-55675
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | superset | to 5.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in Apache Superset's /explore endpoint. It allows an authenticated user to bypass authorization checks and access metadata about datasources they are not permitted to see. By changing the datasource_id parameter in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to disclosure of sensitive information.
How can this vulnerability impact me? :
The vulnerability can lead to sensitive information disclosure by allowing unauthorized users to discover metadata about datasources they should not access. This could expose confidential or proprietary data details, potentially aiding further attacks or data breaches.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Superset to version 5.0.0 or later, as this version fixes the improper access control vulnerability in the /explore endpoint.