2025-01-30 21:25:27 Pacfic
Apache Superset Security Vulnerabilities Patched - 19d
Apache Superset, a popular open-source data visualization platform, has been patched to address multiple critical security vulnerabilities. These flaws included SQL injection vulnerabilities, allowing attackers to execute malicious SQL queries and potentially access sensitive data, and improper authorization issues, enabling lower-privileged users to create new roles and escalate their privileges when the FAB_ADD_SECURITY_API was enabled. The vulnerabilities were identified in versions prior to 4.1.0 and affect both API endpoints and PostgreSQL functions. Researchers discovered that inadequate query validation checks allowed bypassing security mechanisms. Specific PostgreSQL functions like `query_to_xml`, `query_to_xml_and_xmlschema`, `table_to_xml`, and `table_to_xml_and_xmlschema` were found to be particularly exploitable.
The Apache Software Foundation has released Apache Superset 4.1.0 to address these vulnerabilities, specifically CVE-2024-53947 (SQL injection), CVE-2024-53948 (metadata exposure), and CVE-2024-53949 (authorization bypass). The update includes comprehensive patches and users are urged to upgrade immediately. As a temporary mitigation for CVE-2024-53947, users can manually add the vulnerable PostgreSQL functions to the `DISALLOWED_SQL_FUNCTIONS` configuration setting. For CVE-2024-53949, disabling the `FAB_ADD_SECURITY_API` is recommended if not strictly necessary. The release notes emphasize the importance of this update to protect sensitive data and prevent unauthorized access.
ImgSrc: securityonline.info
References:
- Cyber Security News - Report detailing the security vulnerabilities found in Apache Superset. - 19d
- Open Source Security - Discussion of the security flaws and upgrade recommendations for Apache Superset - 19d
- Vulnerability Archives ? Cybersecurity News - News article about the release of Apache Superset 4.1.0, which addresses multiple security flaws. - 19d
- Open Source Security - CVE-2024-55633: Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access - 17d
- Vulnerability Archives ? Cybersecurity News - CVE-2024-55633: Apache Superset Vulnerability Exposes Sensitive Data to Unauthorized Modification - 17d
Classification:
- HashTags: ApacheSuperset SQLInjection Vulnerability
- Company: Apache
- Target: Apache Superset users
- Attacker:
- Product: Apache Superset
- Feature: SQL Injection
- Type: Vulnerability
- Severity: Medium