PyPI: superset
CVE-2021-28125
Safety vulnerability ID: SFTY-20210427-31164
Safety legacy ID: pyup.io-54264
Apache Superset prior to 1.1.0 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
Overview
Open Redirect in Apache Superset
Advisory
Apache Superset prior to 1.1.0 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
How to Fix
We recommend updating superset to the latest non-vulnerable version.
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20210427-31164/CVE-2021-28125
- http://www.openwall.com/lists/oss-security/2021/04/27/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28125
- https://github.com/advisories/GHSA-pfwg-rxf4-97c3
- https://github.com/apache/superset
- https://github.com/apache/superset/commit/eb35b804acf4d84cb70d02743e04b8afebbee029
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-128.yaml
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3C
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cde
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-28125
- https://nvd.nist.gov/vuln/detail/CVE-2021-28125
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/04/27/2
- https://github.com/apache/superset/commit/eb35b804acf4d84cb70d02743e04b8afebbee029
- https://github.com/advisories/GHSA-pfwg-rxf4-97c3
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-128.yaml
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more