CVE-2023-37924
Published: 22 November 2023
Summary
CVE-2023-37924 is a critical-severity SQL Injection (CWE-89) vulnerability in Apache Submarine. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Submarine versions 0.7.0 through 0.7.x contain an SQL injection flaw in the login process, tracked as CVE-2023-37924 and assigned CWE-89. The vulnerability stems from insufficient input sanitization during authentication, enabling crafted requests to bypass normal credential checks and reach the workbench without a valid account. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction.
An unauthenticated remote attacker can submit malicious SQL through the login endpoint to obtain unauthorized access. Successful exploitation grants the ability to log in as any user, including administrative accounts, thereby compromising the confidentiality, integrity, and availability of the Submarine instance and any connected machine-learning workloads.
The Apache project addressed the issue in release 0.8.0, which enforces proper authentication, adds OIDC support, and eliminates unauthenticated login paths. Users unable to upgrade immediately are advised to apply the fixes from pull requests 1037 and 1054, then rebuild the submarine-server container image. The EPSS score has reached 0.77 with no documented rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0043
Vulnerability details
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This…
more
issue affects Apache Submarine: from 0.7.0 before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not only fixes the issue, supports the oidc authentication mode, but also removes the case of unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1037 https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix this.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.