-
Notifications
You must be signed in to change notification settings - Fork 14k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: update security policy and add CVE info (#24769)
(cherry picked from commit 165afee)
- Loading branch information
1 parent
98ec909
commit d92f9a7
Showing
4 changed files
with
71 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Security Policy | ||
|
|
||
| This is a project of the [Apache Software Foundation](https://apache.org) and follows the | ||
| ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling). | ||
|
|
||
| ## Reporting Vulnerabilities | ||
|
|
||
| **⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️** | ||
|
|
||
|
|
||
| Apache Software Foundation takes a rigorous standpoint in annihilating the security issues | ||
| in its software projects. Apache Superset is highly sensitive and forthcoming to issues | ||
| pertaining to its features and functionality. | ||
| If you have any concern or believe you have found a vulnerability in Apache Superset, | ||
| please get in touch with the Apache Security Team privately at | ||
| e-mail address [security@apache.org](mailto:security@apache.org). | ||
|
|
||
| More details can be found on the ASF website at | ||
| [ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability) | ||
|
|
||
| We kindly ask you to include the following information in your report: | ||
| - Apache Superset version that you are using | ||
| - A sanitized copy of your `superset_config.py` file or any config overrides | ||
| - Detailed steps to reproduce the vulnerability | ||
|
|
||
| Note that Apache Superset is not responsible for any third-party dependencies that may | ||
| have security issues. Any vulnerabilities found in third-party dependencies should be | ||
| reported to the maintainers of those projects. Results from security scans of Apache | ||
| Superset dependencies found on its official Docker image can be remediated at release time | ||
| by extending the image itself. | ||
|
|
||
| **Your responsible disclosure and collaboration are invaluable.** | ||
|
|
||
| ## Extra Information | ||
|
|
||
| - [Apache Superset documentation](https://superset.apache.org/docs/security) | ||
| - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves) | ||
| - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| { | ||
| "label": "Security", | ||
| "position": 10 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| --- | ||
| title: CVEs by release | ||
| hide_title: true | ||
| sidebar_position: 2 | ||
| --- | ||
|
|
||
| #### Version 2.1.0 | ||
|
|
||
| | CVE | Title | Affected | | ||
| | :------------- | :---------------------------------------------------------------------- | -----------------:| | ||
| | CVE-2023-25504 | Possible SSRF on import datasets | <= 2.1.0 | | ||
| | CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | <= 2.1.0 | | ||
| | CVE-2023-27525 | Incorrect default permissions for Gamma role | <= 2.1.0 | | ||
| | CVE-2023-30776 | Database connection password leak | <= 2.1.0 | | ||
|
|
||
|
|
||
| #### Version 2.0.1 | ||
|
|
||
| | CVE | Title | Affected | | ||
| | :------------- | :---------------------------------------------------------- | -----------------:| | ||
| | CVE-2022-41703 | SQL injection vulnerability in adhoc clauses | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-43717 | Cross-Site Scripting on dashboards | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-43720 | Improper rendering of user input | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-43721 | Open Redirect Vulnerability | < 2.0.1 or <1.5.2 | | ||
| | CVE-2022-45438 | Dashboard metadata information leak | < 2.0.1 or <1.5.2 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters