This is a different CVE but is also related to Jinja templates but a
different manifestation of it. It was found and identified while doing an
audit of everything exposed in Jinja templates.
Max
On Tue, Sep 29, 2020 at 10:44 AM Ricardo Martinelli de Oliveira <
rmart...@redhat.com> wrote:
> Isn't
This is a separate CVE, for additional vulnerabilities detected in the Jinja
templating system and fixed in 0.37.2. At this point there is no known
workaround. This particular issue only affects the Presto and Hive databases,
so if you do not run Superset against those databases the CVE will not
Isn't this message sent before? I thought this vulnerability was fixed in
0.37.1.
If not, are there any workarounds to avoid it?
On Tue, Sep 29, 2020 at 2:40 PM Will Barrett
wrote:
> Affected Versions: Apache Superset < 0.37.2
>
> In the course of work on the open source project it was discover
Affected Versions: Apache Superset < 0.37.2
In the course of work on the open source project it was discovered that
authenticated users running queries against Hive and Presto database engines
could access information via a number of templated fields including the
contents of query description