Skip to main content

CVEs fixed by release

Version 4.1.2

CVETitleAffected
CVE-2025-27696Improper authorization leading to resource ownership takeover< 4.1.2

Version 4.1.0

CVETitleAffected
CVE-2024-53947Improper SQL authorisation, parse for specific postgres functions< 4.1.0
CVE-2024-53948Error verbosity exposes metadata in analytics databases< 4.1.0
CVE-2024-53949Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled< 4.1.0
CVE-2024-55633SQLLab Improper readonly query validation allows unauthorized write access< 4.1.0

Version 4.0.2

CVETitleAffected
CVE-2024-39887Improper SQL authorization< 4.0.1

Version 3.1.3, 4.0.1

CVETitleAffected
CVE-2024-34693Server arbitrary file read< 3.1.3, >= 4.0.0, < 4.0.1

Version 3.1.2

CVETitleAffected
CVE-2024-28148Incorrect datasource authorization on explore REST API< 3.1.2

Version 3.0.4, 3.1.1

CVETitleAffected
CVE-2024-27315Improper error handling on alerts< 3.0.4, >= 3.1.0, < 3.1.1
CVE-2024-24773Improper validation of SQL statements allows for unauthorized access to data< 3.0.4, >= 3.1.0, < 3.1.1
CVE-2024-24772Improper Neutralisation of custom SQL on embedded context< 3.0.4, >= 3.1.0, < 3.1.1
CVE-2024-24779Improper data authorization when creating a new dataset< 3.0.4, >= 3.1.0, < 3.1.1
CVE-2024-26016Improper authorization validation on dashboards and charts import< 3.0.4, >= 3.1.0, < 3.1.1

Version 3.0.3

CVETitleAffected
CVE-2023-49657Stored XSS in Dashboard Title and Chart Title< 3.0.3

Version 3.0.2, 2.1.3

CVETitleAffected
CVE-2023-46104Allows for uncontrolled resource consumption via a ZIP bomb< 2.1.3, >= 3.0.0, < 3.0.2
CVE-2023-49736SQL Injection on where_in JINJA macro< 2.1.3, >= 3.0.0, < 3.0.2
CVE-2023-49734Privilege Escalation Vulnerability< 2.1.3, >= 3.0.0, < 3.0.2

Version 3.0.0

CVETitleAffected
CVE-2023-42502Open Redirect Vulnerability< 3.0.0
CVE-2023-42505Sensitive information disclosure on db connection details< 3.0.0

Version 2.1.3

CVETitleAffected
CVE-2023-42504Lack of rate limiting allows for possible denial of service< 2.1.3

Version 2.1.2

CVETitleAffected
CVE-2023-40610Privilege escalation with default examples database< 2.1.2
CVE-2023-42501Unnecessary read permissions within the Gamma role< 2.1.2
CVE-2023-43701Stored XSS on API endpoint< 2.1.2

Version 2.1.1

CVETitleAffected
CVE-2023-36387Improper API permission for low privilege users< 2.1.1
CVE-2023-36388Improper API permission for low privilege users allows for SSRF< 2.1.1
CVE-2023-27523Improper data permission validation on Jinja templated queries< 2.1.1
CVE-2023-27526Improper Authorization check on import charts< 2.1.1
CVE-2023-39264Stack traces enabled by default< 2.1.1
CVE-2023-39265Possible Unauthorized Registration of SQLite Database Connections< 2.1.1
CVE-2023-37941Metadata db write access can lead to remote code execution< 2.1.1
CVE-2023-32672SQL parser edge case bypasses data access authorization< 2.1.1

Version 2.1.0

CVETitleAffected
CVE-2023-25504Possible SSRF on import datasets< 2.1.0
CVE-2023-27524Session validation vulnerability when using provided default SECRET_KEY< 2.1.0
CVE-2023-27525Incorrect default permissions for Gamma role< 2.1.0
CVE-2023-30776Database connection password leak< 2.1.0

Version 2.0.1

CVETitleAffected
CVE-2022-41703SQL injection vulnerability in adhoc clauses< 2.0.1 or < 1.5.2
CVE-2022-43717Cross-Site Scripting on dashboards< 2.0.1 or < 1.5.2
CVE-2022-43718Cross-Site Scripting vulnerability on upload forms< 2.0.1 or < 1.5.2
CVE-2022-43719Cross Site Request Forgery (CSRF) on accept, request access< 2.0.1 or < 1.5.2
CVE-2022-43720Improper rendering of user input< 2.0.1 or < 1.5.2
CVE-2022-43721Open Redirect Vulnerability< 2.0.1 or < 1.5.2
CVE-2022-45438Dashboard metadata information leak< 2.0.1 or < 1.5.2