BIT-superset-2024-39887
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/superset/BIT-superset-2024-39887.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/BIT-superset-2024-39887
- Aliases
- Published
- 2025-02-05T07:25:23.689Z
- Modified
- 2025-05-20T10:02:07.006Z
- Summary
- Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
- Details
-
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWEDSQLFUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, querytoxml, inetserveraddr, and inetclientaddr. Additional functions can be added to this list for increased protection.
This issue affects Apache Superset: before 4.0.2.
Users are recommended to upgrade to version 4.0.2, which fixes the issue.
- Database specific
{ "cpes": [ "cpe:2.3:a:apache:superset:*:*:*:*:*:python:*:*" ], "severity": "Critical" }- References
Affected packages
Bitnami / superset
Package
- Name
- superset
- Purl
- pkg:bitnami/superset
Severity
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator