Miggo Logo
Miggo Vulnerability Database
CVE-2021-41972

CVE-2021-41972: Apache Superset allowed for database connections password leak for authenticated users

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-41972
GHSA ID
GHSA-42q4-9xf9-f67x
EPSS Score
0.52322%
CWE
CWE-522
Published
5/24/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-supersetpip<= 1.3.11.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability describes credential leakage through database connection handling. In Apache Superset architecture:

  1. Database APIs (DatabaseApi.get) would handle database configuration retrieval
  2. Admin views (DatabaseView.show) would render connection details Both would need to improperly expose password fields that should be masked. The CWE-522 mapping confirms this is about insufficient credential protection in storage/transmission. The 'non-trivial' access method suggests these functions required authentication but didn't properly filter sensitive fields from responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Sup*rs*t up to *n* in*lu*in* *.*.* *llow** *or **t***s* *onn**tions p*sswor* l**k *or *ut**nti**t** us*rs. T*is in*orm*tion *oul* ** ****ss** in * non-trivi*l w*y.

Reasoning

T** vuln*r**ility **s*ri**s *r***nti*l l**k*** t*rou** **t***s* *onn**tion **n*lin*. In *p**** Sup*rs*t *r**it**tur*: *. **t***s* *PIs (**t***s**pi.**t) woul* **n*l* **t***s* *on*i*ur*tion r*tri*v*l *. **min vi*ws (**t***s*Vi*w.s*ow) woul* r*n**r *on