Cyber Resilience

CVE-2023-37924

Critical

Published: 22 November 2023

Published
22 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7707 99.0th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37924 is a critical-severity SQL Injection (CWE-89) vulnerability in Apache Submarine. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Submarine versions 0.7.0 through 0.7.x contain an SQL injection flaw in the login process, tracked as CVE-2023-37924 and assigned CWE-89. The vulnerability stems from insufficient input sanitization during authentication, enabling crafted requests to bypass normal credential checks and reach the workbench without a valid account. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction.

An unauthenticated remote attacker can submit malicious SQL through the login endpoint to obtain unauthorized access. Successful exploitation grants the ability to log in as any user, including administrative accounts, thereby compromising the confidentiality, integrity, and availability of the Submarine instance and any connected machine-learning workloads.

The Apache project addressed the issue in release 0.8.0, which enforces proper authentication, adds OIDC support, and eliminates unauthenticated login paths. Users unable to upgrade immediately are advised to apply the fixes from pull requests 1037 and 1054, then rebuild the submarine-server container image. The EPSS score has reached 0.77 with no documented rise after disclosure.

EU & UK References

Vulnerability details

Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This…

more

issue affects Apache Submarine: from 0.7.0 before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not only fixes the issue, supports the oidc authentication mode, but also removes the case of unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1037 https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix this.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
submarine
0.7.0 — 0.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References