CVE-2024-53949: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled

[Daniel Gaspar <dpgaspar () apache org>]

Affected versions:

- Apache Superset 2.0.0 before 4.1.0

Description:

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). 
Allows for lower privilege users to use this API.

 issue affects Apache Superset: from 2.0.0 before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Credit:

Jonathan Zimmerman (reporter)
Hugh Miles (remediation developer)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-53949