CVE-2023-49734: 
Wolfi vulnerability analysis and mitigation

A privilege escalation vulnerability was discovered in Apache Superset, identified as CVE-2023-49734. The vulnerability affects Apache Superset versions before 2.1.2 and from 3.0.0 before 3.0.2. The issue was discovered by Jordan Velich and publicly disclosed on December 19, 2023 (Apache Advisory, Security Online).

The vulnerability allows an authenticated Gamma user to gain unauthorized write permissions to charts. When a Gamma user creates a dashboard and adds charts to it, they automatically become one of the owners of the charts, resulting in incorrect authorization permissions. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) by Apache Software Foundation with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N. The vulnerability is classified as CWE-863 (Incorrect Authorization) (NVD).

The vulnerability enables privilege escalation where lower-privileged users can gain undue control over chart permissions, potentially disrupting data integrity within Apache Superset installations. This security gap could lead to unauthorized modifications of charts and dashboards (Security Online).

Users are recommended to upgrade to Apache Superset version 3.0.2 or 2.1.3, which contain fixes for this vulnerability. These versions have been released specifically to address this security issue (Apache Advisory).