Apache Superset Sensitive Data Exposure Vulnerability in Tag Endpoint

A sensitive data exposure vulnerability has been identified in Apache Superset versions prior to 6.0.0. This issue allows authenticated users, particularly those with low privileges such as the Gamma role, to access sensitive user information. The vulnerability arises in the Tag endpoint, which is disabled by default. When enabled, this endpoint can be used to retrieve a list of objects associated with a specific tag. If the associated objects include users, the API response improperly exposes sensitive fields such as password hashes (using the pbkdf2 algorithm), email addresses, and login statistics. This flaw enables unauthorized access to sensitive authentication data.

Impact

Exploitation of this vulnerability allows authenticated users with low privileges to access sensitive user information, including password hashes, email addresses, and login statistics.

Remediation

Users are advised to upgrade to Apache Superset version 6.0.0 or later, which addresses this vulnerability. Alternatively, ensure that the TAGGING_SYSTEM configuration is set to False, which is the current default.