CVE-2024-39887 Scanner

Apache Superset is an open-source data visualization and exploration platform, primarily used for creating dashboards and data reports. It supports a variety of data sources and offers advanced analytics features. Users often deploy Superset in business intelligence (BI) environments to analyze and visualize data interactively. It is widely adopted by organizations for its flexibility and ease of integration with modern data warehouses. Apache Superset provides role-based access control to restrict access to dashboards and data sources. However, a vulnerability exists in earlier versions that could expose users to SQL injection attacks.

The vulnerability in Apache Superset is an SQL Injection, which arises due to improper neutralization of special elements used in SQL commands. The issue is caused by insufficient validation of engine-specific functions. This allows attackers to potentially bypass authorization mechanisms and execute arbitrary SQL queries. The vulnerability primarily affects versions prior to 4.0.2. This can lead to unauthorized access or data manipulation, depending on the attacker's privileges. The issue is mitigated in version 4.0.2, where certain functions are disallowed by a new configuration key.

The SQL injection vulnerability is triggered through certain SQL functions that are improperly handled by Apache Superset's SQL engine. Attackers can exploit this flaw by injecting malicious SQL queries into endpoints that interact with the database. The functions 'version', 'query_to_xml', 'inet_server_addr', and 'inet_client_addr' are specifically vulnerable and can be bypassed to execute arbitrary commands. To mitigate this issue, the new configuration key 'DISALLOWED_SQL_FUNCTIONS' can block these dangerous functions. The injection point exists primarily in the login and chart data API endpoints. Attackers can exploit the vulnerability by sending specially crafted POST requests with SQL injection payloads.

Exploiting this vulnerability can allow attackers to bypass SQL authorization checks and execute arbitrary queries. This could result in unauthorized data access or modification, including potentially sensitive data within the database. In some cases, it could lead to privilege escalation, allowing attackers to gain administrative access. The attacker may also retrieve version information and network details via the vulnerable SQL functions. If fully exploited, the vulnerability could compromise the entire data management system used by Apache Superset. In the worst case, attackers could execute remote code or cause a denial of service.

REFERENCES

• https://blog.quarkslab.com/bypass-apache-superset-restrictions-to-perform-sql-injections.html
• http://www.openwall.com/lists/oss-security/2024/07/16/5
• https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
• https://nvd.nist.gov/vuln/detail/CVE-2024-39887