CVE-2024-39887
Published: 16 July 2024
Summary
CVE-2024-39887 is a medium-severity SQL Injection (CWE-89) vulnerability in Apache Superset. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Superset versions prior to 4.0.2 contain an SQL injection vulnerability (CWE-89) stemming from incomplete neutralization of special elements in SQL statements. The flaw occurs because certain database engine-specific functions are not validated by the existing authorization checks, allowing crafted queries to bypass Superset's SQL controls. The issue carries a CVSS 4.3 rating reflecting network access with low privileges and limited confidentiality impact.
An authenticated user with low-privileged access can submit queries that invoke unchecked functions, thereby extracting information that would normally be restricted by Superset's data-access rules. The attack does not require user interaction and can be performed remotely over the network.
Apache advisories recommend immediate upgrade to version 4.0.2. The release introduces a new configuration parameter, DISALLOWED_SQL_FUNCTIONS, that blocks the PostgreSQL functions version, query_to_xml, inet_server_addr, and inet_client_addr by default; administrators may extend the list with additional functions for broader protection. The referenced OSS-Security and Apache mailing-list posts reiterate the same upgrade and configuration guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2226
Vulnerability details
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new…
more
configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. This issue affects Apache Superset: before 4.0.2. Users are recommended to upgrade to version 4.0.2, which fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.