Incorrectly Identified SQL DML Statement Vulnerability Affects Apache Superset Before 4.1.0
CVE-2024-55633

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Superset
Vendor: CVE Published:; 12 December 2024

Summary

An improper authorization vulnerability exists in Apache Superset, allowing an attacker with SQLLab access to execute specially crafted SQL DML statements, which are incorrectly identified as read-only queries on Postgres analytic databases. This flaw is not present in non-Postgres database connections or Postgres connections using a read-only user role. Users are urged to upgrade to version 4.1.0 to mitigate this security risk.

Affected Version(s)

Apache Superset 0 < 4.1.0

References

https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09z...

vendor-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 9, 2024

Credit

Beto de Almeida

Daniel Gaspar

James Ford (Striveworks)