Incorrectly Identified SQL DML Statement Vulnerability Affects Apache Superset Before 4.1.0

CVE-2024-55633

Currently unrated 🤨

Key Information

Vendor: Apache
Status: Apache Superset
Vendor: CVE Published:; 12 December 2024

Summary

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Affected Version(s)

Apache Superset < 4.1.0

References

https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09z...

vendor-advisory

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 9, 2024

Collectors

NVD DatabaseMitre Database

Credit

Beto de Almeida

Daniel Gaspar

James Ford (Striveworks)