Apache Superset: Server arbitrary file read
Description
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0
Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset before 3.1.3 and 4.0.0 allows authenticated attackers to read server files by exploiting a local_infile setting in MariaDB connections due to improper input validation.
Vulnerability
Overview
CVE-2024-34693 is an improper input validation vulnerability in Apache Superset that affects versions before 3.1.3 and version 4.0.0 [1]. The flaw permits an authenticated attacker to create a MariaDB database connection with the local_infile flag enabled. This setting, combined with the MariaDB server (off by default) and the local MySQL client on the web server configured to allow local infile operations, can be exploited to read arbitrary files from the server's filesystem [1][3]. The root cause is insufficient validation of database connection parameters, allowing the attacker to toggle a dangerous feature.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.1.3 | 3.1.3 |
apache-supersetPyPI | >= 4.0.0, < 4.0.1 | 4.0.1 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 3.1.3
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hcr7-cqwc-q5gqghsaADVISORY
- lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyonghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-34693ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/06/20/1ghsaWEB
News mentions
0No linked articles in our index yet.