CVE-2024-53949: 
Wolfi vulnerability analysis and mitigation

Apache Superset, an open-source business intelligence platform, was found to contain an Improper Authorization vulnerability (CVE-2024-53949) when the FAB_ADD_SECURITY_API feature is enabled (though disabled by default). The vulnerability affects Apache Superset versions from 2.0.0 to versions before 4.1.0. This security flaw was discovered by Jonathan Zimmerman, with remediation developed by Hugh Miles (Apache Advisory, OSS Security).

The vulnerability is classified as CWE-863 (Incorrect Authorization) and has received a CVSS 4.0 base score of 7.6 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. Under CVSS 3.1, it scores 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

When exploited, this vulnerability allows lower-privileged users to create new roles through the API when FAB_ADD_SECURITY_API is enabled, potentially leading to unauthorized access to sensitive functionalities and privilege escalation (Security Online).

Users are strongly recommended to upgrade to Apache Superset version 4.1.0, which contains the fix for this vulnerability. If immediate upgrading is not possible, administrators should ensure that the FAB_ADD_SECURITY_API feature remains disabled (Security Online).