CVE-2024-34693

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-34693

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-34693.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-34693

Aliases

Published

2024-06-20T09:15:11Z

Modified

2025-07-01T15:54:11.728679Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0

Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.

References

Affected packages

Git / github.com/apache/incubator-superset

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-superset
Events: Introduced

c35842e9f1c987d5e684969540fea3d8a5d03ad9

Fixed

3b8bc9b2bd9ee9c10de72bd39859d68676b255fa

Type: GIT
Repo: https://github.com/apache/superset
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

31e1b63bb3e9f5b3adc289c5580e53d4dcabf277

Affected versions

4.*

4.0.0

4.0.0rc2