Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.
This issue affects Apache Superset: <4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.0 | 4.1.0 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 4.1.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-92qf-8gh3-gwcmghsaADVISORY
- lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-53947ghsaADVISORY
- github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146fghsaWEB
News mentions
0No linked articles in our index yet.