From e37202577af683aef06408ce8505919c8451e8ae Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Fri, 21 Jul 2023 14:05:00 +0100 Subject: [PATCH 1/3] docs: update security policy and add CVE info --- .github/SECURITY.md | 37 +++++++++++++++++++++++++++ docs/docs/security/_category_.json | 4 +++ docs/docs/security/cves.mdx | 27 +++++++++++++++++++ docs/docs/{ => security}/security.mdx | 4 +-- 4 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 .github/SECURITY.md create mode 100644 docs/docs/security/_category_.json create mode 100644 docs/docs/security/cves.mdx rename docs/docs/{ => security}/security.mdx (99%) diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000000000..a338150b1f0ab --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +This is a project of the [Apache Software Foundation](https://apache.org) and follows the +ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling). + +## Reporting Vulnerabilities + +**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️** + + +Apache Software Foundation takes a rigorous standpoint in annihilating the security issues +in its software projects. Apache Superset is highly sensitive and forthcoming to issues +pertaining to its features and functionality. +If you have any concern or believe you have found a vulnerability in Apache Superset, +please get in touch with the Apache Security Team privately at +e-mail address [security@apache.org](mailto:security@apache.org). + +More details can be found on the ASF website at +[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability) + +We kindly ask you to include the following information in your report: +- Apache Superset version that you are using +- A sanitized copy of your `superset_config.py` file or any config overrides +- Detailed steps to reproduce the vulnerability + +Note that Apache Superset is not responsible for any third-party dependencies that may +have security issues. Any vulnerabilities found in third-party dependencies should be +reported to the maintainers of those projects. Results from security scans of Apache +Superset dependencies found on its official Docker image can be remediated at release time +by extending the image itself. + +**Your responsible disclosure and collaboration are invaluable.** + +## Extra Information + + - [Apache Superset documentation](https://superset.apache.org/docs/security) + - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves) diff --git a/docs/docs/security/_category_.json b/docs/docs/security/_category_.json new file mode 100644 index 0000000000000..7d24a44873bcf --- /dev/null +++ b/docs/docs/security/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Security", + "position": 10 +} diff --git a/docs/docs/security/cves.mdx b/docs/docs/security/cves.mdx new file mode 100644 index 0000000000000..148af09c54c98 --- /dev/null +++ b/docs/docs/security/cves.mdx @@ -0,0 +1,27 @@ +--- +title: CVEs by release +hide_title: true +sidebar_position: 2 +--- + +#### Version 2.1.0 + +| CVE | Title | Affected | +| :------------- | :---------------------------------------------------------------------- | -----------------:| +| CVE-2023-25504 | Possible SSRF on import datasets | <= 2.1.0 | +| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | <= 2.1.0 | +| CVE-2023-27525 | Incorrect default permissions for Gamma role | <= 2.1.0 | +| CVE-2023-30776 | Database connection password leak | <= 2.1.0 | + + +#### Version 2.0.1 + +| CVE | Title | Affected | +| :------------- | :---------------------------------------------------------- | -----------------:| +| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses | < 2.0.1 or <1.5.2 | +| CVE-2022-43717 | Cross-Site Scripting on dashboards | < 2.0.1 or <1.5.2 | +| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms | < 2.0.1 or <1.5.2 | +| CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access | < 2.0.1 or <1.5.2 | +| CVE-2022-43720 | Improper rendering of user input | < 2.0.1 or <1.5.2 | +| CVE-2022-43721 | Open Redirect Vulnerability | < 2.0.1 or <1.5.2 | +| CVE-2022-45438 | Dashboard metadata information leak | < 2.0.1 or <1.5.2 | diff --git a/docs/docs/security.mdx b/docs/docs/security/security.mdx similarity index 99% rename from docs/docs/security.mdx rename to docs/docs/security/security.mdx index ab6d41e895f40..5934af51df006 100644 --- a/docs/docs/security.mdx +++ b/docs/docs/security/security.mdx @@ -1,7 +1,7 @@ --- -title: Security +title: Role based Access hide_title: true -sidebar_position: 10 +sidebar_position: 1 --- ### Roles From 7f2c568627da00dcc2b9abb89671eb3e840be835 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Tue, 25 Jul 2023 10:22:06 +0100 Subject: [PATCH 2/3] adding blog with more info --- .github/SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index a338150b1f0ab..3211c09bb6913 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -35,3 +35,4 @@ by extending the image itself. - [Apache Superset documentation](https://superset.apache.org/docs/security) - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves) + - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/) From 8fa5d1e9d414f3ca26a8c3a606b3fb55c7d4deed Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Tue, 25 Jul 2023 13:01:13 +0100 Subject: [PATCH 3/3] lint --- .github/SECURITY.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 3211c09bb6913..f35b9c48f0eec 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -9,7 +9,7 @@ ASF [vulnerability handling process](https://apache.org/security/#vulnerability- Apache Software Foundation takes a rigorous standpoint in annihilating the security issues -in its software projects. Apache Superset is highly sensitive and forthcoming to issues +in its software projects. Apache Superset is highly sensitive and forthcoming to issues pertaining to its features and functionality. If you have any concern or believe you have found a vulnerability in Apache Superset, please get in touch with the Apache Security Team privately at @@ -23,9 +23,9 @@ We kindly ask you to include the following information in your report: - A sanitized copy of your `superset_config.py` file or any config overrides - Detailed steps to reproduce the vulnerability -Note that Apache Superset is not responsible for any third-party dependencies that may -have security issues. Any vulnerabilities found in third-party dependencies should be -reported to the maintainers of those projects. Results from security scans of Apache +Note that Apache Superset is not responsible for any third-party dependencies that may +have security issues. Any vulnerabilities found in third-party dependencies should be +reported to the maintainers of those projects. Results from security scans of Apache Superset dependencies found on its official Docker image can be remediated at release time by extending the image itself.