GHSA-f678-j579-4xf5

Source

https://github.com/advisories/GHSA-f678-j579-4xf5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-f678-j579-4xf5/GHSA-f678-j579-4xf5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-f678-j579-4xf5

Aliases

Related

CVE-2023-40610

Published

2023-11-28T18:56:21Z

Modified

2025-02-05T09:12:09.683861Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Apache Superset - Elevation of Privilege

Details

Overview

An attacker with access to the SQL Lab and the abuser and abuser_role tables can elevate his privileges to become administrator.

Details

On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).

Proof of Concept

Some tables are supposed to accept only SELECT requests from the SQL tab. - Attempt to create a new user injectedadmin into the abuser table: PoC_1

But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query. INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax: WITH a AS ( INSERT INTO abuser (id, firstname, lastname, username, email, password) VALUES (2, ‘injectedadmin’, ‘injectedadmin’, ‘injectedadmin’, ‘injectedadmin@gmail.com’, ‘{PASSWORDHASH}’) RETURNING id ) SELECT * FROM a; PoC2 - injectedadmin added to the abuser table: PoC3

This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables abuserrole can escalate his privilege to become administrator. - Locating the ID of the user ‘Auditeur B’, who has no rights and is not an admin. The request is done being ‘Auditeur B’: PoC4 - Locating the rows that keep the role of the user ‘Auditeur B’. The row 36 stores the value 3, indicating the role ‘Alpha’ for ‘Auditeur B’: PoC5 - Modification of the row 36 with an UPDATE request embedded in a WITH request: PoC6 - ‘Auditeur B’ role has been changed to Admin: PoC7

This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).

Solution

Orange recommendation

To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.

Security patch

Upgrade to Superset version 2.1.2.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40610 https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Credits

LEXFO for Orange Innovation

Orange CERT-CC at Orange group

Timeline

Date reported: July 27, 2023 Date fixed: November 27, 2023

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:56:21Z"
}

References

Affected packages

PyPI / apache-superset

Package

Name: apache-superset; View open source insights on deps.dev
Purl: pkg:pypi/apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.2

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0

2.1.1rc1

2.1.1rc2

2.1.1rc3

2.1.1