This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 165afee55a docs: update security policy and add CVE info (#24769)
165afee55a is described below
commit 165afee55a816e2e084ba2dac4cad7d5cb7d2a57
Author: Daniel Vaz Gaspar <[email protected]>
AuthorDate: Wed Jul 26 14:21:26 2023 +0100
docs: update security policy and add CVE info (#24769)
---
.github/SECURITY.md | 38 +++++++++++++++++++++++++++++++++++
docs/docs/security/_category_.json | 4 ++++
docs/docs/security/cves.mdx | 27 +++++++++++++++++++++++++
docs/docs/{ => security}/security.mdx | 4 ++--
4 files changed, 71 insertions(+), 2 deletions(-)
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..f35b9c48f0
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and
follows the
+ASF [vulnerability handling
process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are
public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in annihilating the
security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming
to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache
Superset,
+please get in touch with the Apache Security Team privately at
+e-mail address [[email protected]](mailto:[email protected]).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting
process](https://apache.org/security/#reporting-a-vulnerability)
+
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
+
+Note that Apache Superset is not responsible for any third-party dependencies
that may
+have security issues. Any vulnerabilities found in third-party dependencies
should be
+reported to the maintainers of those projects. Results from security scans of
Apache
+Superset dependencies found on its official Docker image can be remediated at
release time
+by extending the image itself.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by
release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset
(Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
diff --git a/docs/docs/security/_category_.json
b/docs/docs/security/_category_.json
new file mode 100644
index 0000000000..7d24a44873
--- /dev/null
+++ b/docs/docs/security/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Security",
+ "position": 10
+}
diff --git a/docs/docs/security/cves.mdx b/docs/docs/security/cves.mdx
new file mode 100644
index 0000000000..148af09c54
--- /dev/null
+++ b/docs/docs/security/cves.mdx
@@ -0,0 +1,27 @@
+---
+title: CVEs by release
+hide_title: true
+sidebar_position: 2
+---
+
+#### Version 2.1.0
+
+| CVE | Title
| Affected |
+| :------------- |
:---------------------------------------------------------------------- |
-----------------:|
+| CVE-2023-25504 | Possible SSRF on import datasets
| <= 2.1.0 |
+| CVE-2023-27524 | Session validation vulnerability when using provided
default SECRET_KEY | <= 2.1.0 |
+| CVE-2023-27525 | Incorrect default permissions for Gamma role
| <= 2.1.0 |
+| CVE-2023-30776 | Database connection password leak
| <= 2.1.0 |
+
+
+#### Version 2.0.1
+
+| CVE | Title
| Affected |
+| :------------- | :----------------------------------------------------------
| -----------------:|
+| CVE-2022-41703 | SQL injection vulnerability in adhoc clauses
| < 2.0.1 or <1.5.2 |
+| CVE-2022-43717 | Cross-Site Scripting on dashboards
| < 2.0.1 or <1.5.2 |
+| CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms
| < 2.0.1 or <1.5.2 |
+| CVE-2022-43719 | Cross Site Request Forgery (CSRF) on accept, request access
| < 2.0.1 or <1.5.2 |
+| CVE-2022-43720 | Improper rendering of user input
| < 2.0.1 or <1.5.2 |
+| CVE-2022-43721 | Open Redirect Vulnerability
| < 2.0.1 or <1.5.2 |
+| CVE-2022-45438 | Dashboard metadata information leak
| < 2.0.1 or <1.5.2 |
diff --git a/docs/docs/security.mdx b/docs/docs/security/security.mdx
similarity index 99%
rename from docs/docs/security.mdx
rename to docs/docs/security/security.mdx
index ab6d41e895..5934af51df 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security/security.mdx
@@ -1,7 +1,7 @@
---
-title: Security
+title: Role based Access
hide_title: true
-sidebar_position: 10
+sidebar_position: 1
---
### Roles
