This is a different CVE but is also related to Jinja templates but a different manifestation of it. It was found and identified while doing an audit of everything exposed in Jinja templates.
Max On Tue, Sep 29, 2020 at 10:44 AM Ricardo Martinelli de Oliveira < rmart...@redhat.com> wrote: > Isn't this message sent before? I thought this vulnerability was fixed in > 0.37.1. > > If not, are there any workarounds to avoid it? > > On Tue, Sep 29, 2020 at 2:40 PM Will Barrett <barrett.will...@gmail.com> > wrote: > > > Affected Versions: Apache Superset < 0.37.2 > > > > In the course of work on the open source project it was discovered that > > authenticated users running queries against Hive and Presto database > > engines could access information via a number of templated fields > including > > the contents of query description metadata database, the hashed version > of > > the authenticated users’ password, and access to connection information > > including the plaintext password for the current connection. It would > also > > be possible to run arbitrary methods on the database connection object > for > > the Presto or Hive connection, allowing the user to bypass security > > controls internal to Superset. This vulnerability is present in every > > Apache Superset version < 0.37.2. > > > > Will Barrett > > Member of the Project Management Committee > > Apache Incubator Superset > > > > > -- > > Ricardo Martinelli De Oliveira > > Data Engineer, AI CoE > > Red Hat Brazil <https://www.redhat.com/> > > Av. Brigadeiro Faria Lima, 3900 > > 8th floor > > rmart...@redhat.com T: +551135426125 > M: +5511970696531 > @redhatjobs <https://twitter.com/redhatjobs> redhatjobs > <https://www.facebook.com/redhatjobs> @redhatjobs > <https://instagram.com/redhatjobs> > <https://www.redhat.com/> >
