CVE-2023-39265
Published: 06 September 2023
Summary
CVE-2023-39265 is a low-severity Improper Input Validation (CWE-20) vulnerability in Apache Superset. Its CVSS base score is 3.8 (Low).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Apache Superset versions up to and including 2.1.0 contain an input validation flaw that permits SQLite database connections to be registered using alternate driver names such as sqlite+pysqlite or through database import mechanisms. The affected component is the database connection registration logic, which fails to enforce the intended SQLite driver restrictions and can lead to unexpected file creation on the Superset web server. When Superset itself uses SQLite for metadata storage, the issue can further expose confidentiality and integrity risks.
An authenticated attacker with administrative privileges can supply crafted connection strings or import files to trigger the flaw. Successful exploitation allows creation of arbitrary files on the server and, in metadata SQLite deployments, broader unauthorized access or modification of Superset configuration and data.
Public references, including the Apache mailing list thread and PacketStorm disclosures, point to coordinated advisories that address the driver registration bypass and recommend restricting database connection capabilities and avoiding SQLite for production metadata storage. The EPSS score has remained near 0.72 with a peak of 0.74, indicating sustained but not sharply increasing exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2494
Vulnerability details
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset…
more
is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.