diff --git a/CHANGELOG.md b/CHANGELOG.md
index cba6558c0..e430615ce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file.
- stackable-base: Mitigate CVE-2023-37920 by removing e-Tugra root certificates ([#673]).
- hdfs: Exclude unused jars and mitigate snappy-java CVEs by bumping dependency ([#682]).
- druid: Build from source ([#684]).
+- superset: Updating Flask-AppBuilder and gevent, remove greenlet from 3.1.0-constrains.txt to mitigate CVE-2024-25128 and CVE-2023-41419 ([#686]).
### Changed
@@ -86,6 +87,7 @@ All notable changes to this project will be documented in this file.
[#682]: https://github.com/stackabletech/docker-images/pull/682
[#684]: https://github.com/stackabletech/docker-images/pull/684
[#685]: https://github.com/stackabletech/docker-images/pull/685
+[#686]: https://github.com/stackabletech/docker-images/pull/686
[#688]: https://github.com/stackabletech/docker-images/pull/688
## [24.3.0] - 2024-03-20
diff --git a/superset/constraints-3.1.0.txt b/superset/constraints-3.1.0.txt
index 75b1c7f9c..b0cd6b393 100644
--- a/superset/constraints-3.1.0.txt
+++ b/superset/constraints-3.1.0.txt
@@ -98,7 +98,8 @@ flask==2.2.5
# flask-session
# flask-sqlalchemy
# flask-wtf
-flask-appbuilder==4.3.10
+# Bumping 4.3.10 -> 4.3.11 to get rid of CVE-2024-25128
+flask-appbuilder==4.3.11
# via apache-superset
flask-babel==1.0.0
# via flask-appbuilder
@@ -134,7 +135,9 @@ geographiclib==1.52
# via geopy
geopy==2.2.0
# via apache-superset
-greenlet==2.0.2
+# Letting python decide which greenlet version to compile at
+# since we diverge from the vendor to fix CVE's
+# greenlet==2.0.2
# via
# shillelagh
# sqlalchemy
@@ -383,7 +386,9 @@ zipp==3.15.0
# importlib-metadata
# importlib-resources
# from https://github.com/apache/superset/blob/3.1.0/requirements/docker.txt
-gevent==22.10.2
+# Bumped 22.10.2 -> 24.2.1 version to get rid of
+# CVE-2023-41419
+gevent==24.2.1
# via -r requirements/docker.in
psycopg2-binary==2.9.6
# via apache-superset