Isn't this message sent before? I thought this vulnerability was fixed in 0.37.1.
If not, are there any workarounds to avoid it? On Tue, Sep 29, 2020 at 2:40 PM Will Barrett <barrett.will...@gmail.com> wrote: > Affected Versions: Apache Superset < 0.37.2 > > In the course of work on the open source project it was discovered that > authenticated users running queries against Hive and Presto database > engines could access information via a number of templated fields including > the contents of query description metadata database, the hashed version of > the authenticated users’ password, and access to connection information > including the plaintext password for the current connection. It would also > be possible to run arbitrary methods on the database connection object for > the Presto or Hive connection, allowing the user to bypass security > controls internal to Superset. This vulnerability is present in every > Apache Superset version < 0.37.2. > > Will Barrett > Member of the Project Management Committee > Apache Incubator Superset > -- Ricardo Martinelli De Oliveira Data Engineer, AI CoE Red Hat Brazil <https://www.redhat.com/> Av. Brigadeiro Faria Lima, 3900 8th floor rmart...@redhat.com T: +551135426125 M: +5511970696531 @redhatjobs <https://twitter.com/redhatjobs> redhatjobs <https://www.facebook.com/redhatjobs> @redhatjobs <https://instagram.com/redhatjobs> <https://www.redhat.com/>