Cyber Resilience

CVE-2024-39887

Medium

Published: 16 July 2024

Published
16 July 2024
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.6140 98.4th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39887 is a medium-severity SQL Injection (CWE-89) vulnerability in Apache Superset. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Superset versions prior to 4.0.2 contain an SQL injection vulnerability (CWE-89) stemming from incomplete neutralization of special elements in SQL statements. The flaw occurs because certain database engine-specific functions are not validated by the existing authorization checks, allowing crafted queries to bypass Superset's SQL controls. The issue carries a CVSS 4.3 rating reflecting network access with low privileges and limited confidentiality impact.

An authenticated user with low-privileged access can submit queries that invoke unchecked functions, thereby extracting information that would normally be restricted by Superset's data-access rules. The attack does not require user interaction and can be performed remotely over the network.

Apache advisories recommend immediate upgrade to version 4.0.2. The release introduces a new configuration parameter, DISALLOWED_SQL_FUNCTIONS, that blocks the PostgreSQL functions version, query_to_xml, inet_server_addr, and inet_client_addr by default; administrators may extend the list with additional functions for broader protection. The referenced OSS-Security and Apache mailing-list posts reiterate the same upgrade and configuration guidance.

EU & UK References

Vulnerability details

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new…

more

configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. This issue affects Apache Superset: before 4.0.2. Users are recommended to upgrade to version 4.0.2, which fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
superset
≤ 4.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References